enabledIntegrate the JDBC Datasource with the JTA TransactionManager of Quarkus. This is the default., xaSimilarly to enabled, also enables integration with the JTA TransactionManager of Quarkus, but enabling XA transactions as well. Requires a JDBC driver implementing javax.sql.XADataSource, disabledDisables the Agroal integration with the Narayana TransactionManager. This is typically a bad idea, and is only useful in special cases\: make sure to not use this without having a deep understanding of the implications.
enabledIntegrate the JDBC Datasource with the JTA TransactionManager of Quarkus. This is the default.
The initial size of the pool. Usually you will want to set the initial size to match at least the minimal size, but this is not enforced so to allow for architectures which prefer a lazy initialization of the connections on boot, while being able to sustain a minimal pool size after boot.
When enabled, Agroal will be able to produce a warning when a connection is returned to the pool without the application having closed all open statements. This is unrelated with tracking of open connections. Disable for peak performance, but only when there’s high confidence that no leaks are happening.
Forces connection validation prior to acquisition (foreground validation) regardless of the idle status.
Because of the overhead of performing validation on every call, it’s recommended to rely on default idle validation instead, and to leave this to false.
Require an active transaction when acquiring a connection. Recommended for production. WARNING: Some extensions acquire connections without holding a transaction for things like schema updates and schema validation. Setting this setting to STRICT may lead to failures in those cases.
The exception classes expected to be thrown by the handler. Any exception thrown by the handler that is an instance of a class in this list will not be logged, but will otherwise be handled normally by the lambda runtime. This is useful for avoiding unnecessary stack traces while preserving the ability to log unexpected exceptions.
The handler name. Handler names are specified on handler classes using the @jakarta.inject.Named annotation. If this name is unspecified and there is exactly one unnamed implementation of com.amazonaws.services.lambda.runtime.RequestHandler then this unnamed handler will be used. If there is only a single named handler and the name is unspecified then the named handler will be used.
Environment variable: QUARKUS_LAMBDA_HANDLER
Show more
string
Amazon Lambda AWS Gateway REST API
Type
Default
quarkus.lambda-http.enable-security
Enable security mechanisms to process lambda and AWS based security (i.e. Cognito, IAM) from the http event sent from API Gateway
Regular expression to locate role values within a Cognito claim string. By default it looks for space delimited strings enclosed in brackets "[^\[\] \t]+"
Regular expression to locate role values within a Cognito claim string. By default it looks for space delimited strings enclosed in brackets "[^\[\] \t]+"
If set to true @Inject is automatically added to all non-static non-final fields that are annotated with one of the annotations defined by AutoInjectAnnotationBuildItem.
If set to true, the bytecode of unproxyable beans will be transformed. This ensures that a proxy/subclass can be created properly. If the value is set to false, then an exception is thrown at build time indicating that a subclass/proxy could not be created. Quarkus performs the following transformations when this setting is enabled:
Remove 'final' modifier from classes and methods when a proxy is required.
Create a no-args constructor if needed.
Makes private no-args constructors package-private if necessary.
If set to true, the bytecode of private fields that are injection points will be transformed to package private. This ensures that field injection can be performed completely reflection-free. If the value is set to false, then a reflection fallback is used to perform the injection.
If set to true (the default), the build fails if a private method that is neither an observer nor a producer, is annotated with an interceptor binding. An example of this is the use of Transactional on a private method of a bean. If set to false, Quarkus simply logs a warning that the annotation will be ignored.
The list of selected alternatives for an application.
An element value can be:
a fully qualified class name, i.e. org.acme.Foo
a simple class name as defined by Class#getSimpleName(), i.e. Foo
a package name with suffix .*, i.e. org.acme.*, matches a package
a package name with suffix .**, i.e. org.acme.**, matches a package that starts with the value Each element value is used to match an alternative bean class, an alternative stereotype annotation type or a bean class that declares an alternative producer. If any value matches then the priority of Integer#MAX_VALUE is used for the relevant bean. The priority declared via jakarta.annotation.Priority is overridden.
If set to true then jakarta.enterprise.inject.Produces is automatically added to all non-void methods that are annotated with a scope annotation, a stereotype or a qualifier, and are not annotated with Inject or Produces, and no parameter is annotated with Disposes, Observes or ObservesAsync.
The list of types that should be excluded from discovery.
An element value can be:
a fully qualified class name, i.e. org.acme.Foo
a simple class name as defined by Class#getSimpleName(), i.e. Foo
a package name with suffix .*, i.e. org.acme.*, matches a package
a package name with suffix .**, i.e. org.acme.**, matches a package that starts with the value If any element value matches a discovered type then the type is excluded from discovery, i.e. no beans and observer methods are created from this type.
Environment variable: QUARKUS_ARC_EXCLUDE_TYPES
Show more
list of string
quarkus.arc.unremovable-types
List of types that should be considered unremovable regardless of whether they are directly used or not. This is a configuration option equivalent to using io.quarkus.arc.Unremovable annotation.
An element value can be:
a fully qualified class name, i.e. org.acme.Foo
a simple class name as defined by Class#getSimpleName(), i.e. Foo
a package name with suffix .*, i.e. org.acme.*, matches a package
a package name with suffix .**, i.e. org.acme.**, matches a package that starts with the value If any element value matches a discovered bean, then such a bean is considered unremovable.
If set to true then the container attempts to detect "unused removed beans" false positives during programmatic lookup at runtime. You can disable this feature to conserve some memory when running your application in production.
If set to true then the container attempts to detect wrong usages of annotations and eventually fails the build to prevent unexpected behavior of a Quarkus application.
A typical example is @jakarta.ejb.Singleton which is often confused with @jakarta.inject.Singleton. As a result a component annotated with @jakarta.ejb.Singleton would be completely ignored. Another example is an inner class annotated with a scope annotation - this component would be again completely ignored.
If set to true, the container will perform additional validations mandated by the CDI specification. Some improvements on top of the CDI specification may be disabled. Applications that work as expected in the strict mode should work without a change in the default, non-strict mode.
The strict mode is mainly introduced to allow passing the CDI Lite TCK. Applications are recommended to use the default, non-strict mode, which makes CDI more convenient to use. The "strictness" of the strict mode (the set of additional validations and the set of disabled improvements on top of the CDI specification) may change over time.
Note that transform-unproxyable-classes and remove-unused-beans also has effect on specification compatibility. You may want to disable these features to get behavior closer to the specification.
If set to true and the SmallRye Context Propagation extension is present then the CDI contexts will be propagated by means of the MicroProfile Context Propagation API. Specifically, a org.eclipse.microprofile.context.spi.ThreadContextProvider implementation is registered. On the other hand, if set to false then the MicroProfile Context Propagation API will never be used to propagate the CDI contexts. Note that the CDI contexts may be propagated in a different way though. For example with the Vertx duplicated context.
Default configuration applied to all Caffeine caches (lowest precedence)
Type
Default
quarkus.cache.caffeine.initial-capacity
Minimum total size for the internal data structures. Providing a large enough estimate at construction time avoids the need for expensive resizing operations later, but setting this value unnecessarily high wastes memory.
Maximum number of entries the cache may contain. Note that the cache may evict an entry before this limit is exceeded or temporarily exceed the threshold while evicting. As the cache size grows close to the maximum, the cache evicts entries that are less likely to be used again. For example, the cache may evict an entry because it hasn’t been used recently or very often.
Specifies that each entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s creation, or the most recent replacement of its value.
Specifies that each entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s creation, the most recent replacement of its value, or its last read.
Whether or not metrics are recorded if the application depends on the Micrometer extension. Setting this value to true will enable the accumulation of cache stats inside Caffeine.
Minimum total size for the internal data structures. Providing a large enough estimate at construction time avoids the need for expensive resizing operations later, but setting this value unnecessarily high wastes memory.
Maximum number of entries the cache may contain. Note that the cache may evict an entry before this limit is exceeded or temporarily exceed the threshold while evicting. As the cache size grows close to the maximum, the cache evicts entries that are less likely to be used again. For example, the cache may evict an entry because it hasn’t been used recently or very often.
Specifies that each entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s creation, or the most recent replacement of its value.
Specifies that each entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s creation, the most recent replacement of its value, or its last read.
Whether or not metrics are recorded if the application depends on the Micrometer extension. Setting this value to true will enable the accumulation of cache stats inside Caffeine.
DOCKER_HOST value to use. If not set, the env var DOCKER_HOST is used, if that is not set the value `unix:///var/run/docker.sock' (or 'npipe:///./pipe/docker_engine' for windows) is used.
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 21 or higher, registry.access.redhat.com/ubi8/openjdk-21-runtime:1.20 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20 is used as the default.
Environment variable: QUARKUS_JIB_BASE_JVM_IMAGE
Show more
string
quarkus.jib.base-native-image
The base image to be used when a container image is being produced for the native binary build. The default is "quay.io/quarkus/quarkus-micro-image". You can also use "registry.access.redhat.com/ubi8/ubi-minimal" which is a bigger base image, but provide more built-in utilities such as the microdnf package manager.
If this is set, then it will be used as the entry point of the container image. There are a few things to be aware of when creating an entry point
Entrypoint "INHERIT" means to inherit entrypoint from base image, jvmArguments field is used for arguments
A valid entrypoint is jar package specific (see quarkus.package.jar.type)
A valid entrypoint depends on the location of both the launching scripts and the application jar file. To that end it’s helpful to remember that when fast-jar packaging is used (the default), all necessary application jars are added to the /work directory and that the same directory is also used as the working directory. When legacy-jar or uber-jar are used, the application jars are unpacked under the /app directory and that directory is used as the working directory.
Even if the jvmArguments field is set, it is ignored completely unless entrypoint is "INHERIT" When this is not set, a proper default entrypoint will be constructed. As a final note, a very useful tool for inspecting container image layers that can greatly aid when debugging problems with endpoints is dive
Environment variable: QUARKUS_JIB_JVM_ENTRYPOINT
Show more
list of string
quarkus.jib.native-entrypoint
If this is set, then it will be used as the entry point of the container image. There are a few things to be aware of when creating an entry point
Entrypoint "INHERIT" means to inherit entrypoint from base image, nativeArguments field is used for arguments
A valid entrypoint depends on the location of both the launching scripts and the native binary file. To that end it’s helpful to remember that the native application is added to the /work directory and that and the same directory is also used as the working directory
Even if the nativeArguments field is set, it is ignored completely unless entrypoint is "INHERIT" When this is not set, a proper default entrypoint will be constructed. As a final note, a very useful tool for inspecting container image layers that can greatly aid when debugging problems with endpoints is dive
Controls the optimization which skips downloading base image layers that exist in a target registry. If the user does not set this property, then read as false. If true, base image layers are always pulled and cached. If false, base image layers will not be pulled/cached if they already exist on the target registry.
List of target platforms. Each platform is defined using the pattern:
<os>|<arch>[/variant]|<os>/<arch>[/variant]
for example:
linux/amd64,linux/arm64/v8
If not specified, OS default is linux and architecture default is amd64. If more than one platform is configured, it is important to note that the base image has to be a Docker manifest or an OCI image index containing a version of each chosen platform. The feature does not work with native images, as cross-compilation is not supported. This configuration is based on an incubating feature of Jib. See Jib FAQ for more information.
Environment variable: QUARKUS_JIB_PLATFORMS
Show more
list of string
quarkus.jib.image-digest-file
The path of a file in which the digest of the generated image will be written. If the path is relative, the base path is the output directory of the build tool.
The path of a file in which the id of the generated image will be written. If the path is relative, the base path is the output directory of the build tool.
Environment variable: QUARKUS_JIB_IMAGE_ID_FILE
Show more
string
jib-image.id
quarkus.jib.offline-mode
Whether or not to operate offline.
Environment variable: QUARKUS_JIB_OFFLINE_MODE
Show more
boolean
false
quarkus.jib.docker-executable-name
Name of binary used to execute the docker commands. This is only used by Jib when the container image is being built locally.
Whether to set the creation time to the actual build time. Otherwise, the creation time will be set to the Unix epoch (00:00:00, January 1st, 1970 in UTC). See Jib FAQ for more information
Whether to set the modification time (last modified time) of the files put by Jib in the image to the actual build time. Otherwise, the modification time will be set to the Unix epoch (00:00:00, January 1st, 1970 in UTC). If the modification time is constant (flag is set to false so Unix epoch is used) across two consecutive builds, the docker layer sha256 digest will be different only if the actual files added by Jib to the docker layer were changed. More exactly, having 2 consecutive builds will generate different docker layers only if the actual content of the files within the docker layer was changed. If the current timestamp is used the sha256 digest of the docker layer will always be different even if the content of the files didn’t change.
The base image to be used when a container image is being produced for the jar build. The value of this property is used to create an ImageStream for the builder image used in the Openshift build. When it references images already available in the internal Openshift registry, the corresponding streams are used instead. When the application is built against Java 21 or higher, registry.access.redhat.com/ubi8/openjdk-21:1.20 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-17:1.20 is used as the default.
The base image to be used when a container image is being produced for the native binary build. The value of this property is used to create an ImageStream for the builder image used in the Openshift build. When it references images already available in the internal Openshift registry, the corresponding streams are used instead.
The directory where the jar is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non default image is used.
The directory where the native binary is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non-default image is used.
The resulting filename of the native binary in the S2I image. This option may be used if the selected S2I image uses a fixed name for the native binary.
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 21 or higher, registry.access.redhat.com/ubi8/openjdk-21:1.20 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-17:1.20 is used as the default.
Environment variable: QUARKUS_S2I_BASE_JVM_IMAGE
Show more
string
quarkus.s2i.base-native-image
The base image to be used when a container image is being produced for the native binary build
The directory where the jar is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non default image is used.
Environment variable: QUARKUS_S2I_JAR_DIRECTORY
Show more
string
/deployments/target/
quarkus.s2i.jar-file-name
The resulting filename of the jar in the S2I image. This option may be used if the selected S2I image uses a fixed name for the jar.
Environment variable: QUARKUS_S2I_JAR_FILE_NAME
Show more
string
quarkus.s2i.native-binary-directory
The directory where the native binary is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non-default image is used.
The resulting filename of the native binary in the S2I image. This option may be used if the selected S2I image uses a fixed name for the native binary.
The path of the banner (path relative to root of classpath) which could be provided by user
Environment variable: QUARKUS_BANNER_PATH
Show more
string
default_banner.txt
quarkus.banner.enabled
Whether the banner will be displayed
Environment variable: QUARKUS_BANNER_ENABLED
Show more
boolean
true
Bootstrap
Type
Default
quarkus.bootstrap.effective-model-builder
If set to true, the workspace initialization will be based on the effective POMs (i.e. properly interpolated, including support for profiles) instead of the raw ones.
If set to true, workspace discovery will be enabled for all launch modes. Usually, workspace discovery is enabled by default only for dev and test modes.
By default, the bootstrap mechanism will create a shared cache of open JARs for Quarkus classloaders to reduce the total number of opened ZIP FileSystems in dev and test modes. Setting system property quarkus.bootstrap.disable-jar-cache to true will make Quarkus classloaders create a new ZIP FileSystem for each JAR classpath element every time it is added to a Quarkus classloader.
A temporary option introduced to avoid a logging warning when -Dquarkus.bootstrap.incubating-model-resolver is added to the build command line. This option enables an incubating implementation of the Quarkus Application Model resolver. This option will be removed as soon as the incubating implementation becomes the default one.
Artifacts that are loaded in a parent first manner. This can be used to work around issues where a given class needs to be loaded by the system ClassLoader. Note that if you make a library parent first all its dependencies should generally also be parent first.
Artifacts should be configured as a comma separated list of artifact ids, with the group, artifact-id and optional classifier separated by a colon.
This config property can only be set in application.properties
Artifacts that are loaded in the runtime ClassLoader in dev mode, so they will be dropped and recreated on change.
This is an advanced option, it should only be used if you have a problem with libraries holding stale state between reloads. Note that if you use this any library that depends on the listed libraries will also need to be reloadable.
This setting has no impact on production builds.
Artifacts should be configured as a comma separated list of artifact ids, with the group, artifact-id and optional classifier separated by a colon.
This config property can only be set in application.properties
Artifacts that will never be loaded by the class loader, and will not be packed into the final application. This allows you to explicitly remove artifacts from your application even though they may be present on the class path.
Resources that should be removed/hidden from dependencies.
This allows for classes and other resources to be removed from dependencies, so they are not accessible to the application. This is a map of artifact id (in the form group:artifact) to a list of resources to be removed.
When running in dev and test mode these resources are hidden from the ClassLoader, when running in production mode these files are removed from the jars that contain them.
Note that if you want to remove a class you need to specify the class file name. e.g. to remove com.acme.Foo you would specify com/acme/Foo.class.
Note that for technical reasons this is not supported when running with JBang.
A comma separated list of profiles that will be active when Quarkus launches.
Environment variable: QUARKUS_PROFILE
Show more
list of string
quarkus.config.profile.parent
Accepts a single configuration profile name. If a configuration property cannot be found in the current active profile, the config performs the same lookup in the profile set by this configuration.
Additional config locations to be loaded with the Config. The configuration support multiple locations separated by a comma and each must represent a valid java.net.URI.
Enable logging of configuration values lookup in DEBUG log level.
The log of configuration values require the category set to DEBUG in the io.smallrye.config category: quarkus.log.category."io.smallrye.config".level=DEBUG.
Environment variable: QUARKUS_CONFIG_LOG_VALUES
Show more
boolean
quarkus.uuid
A property that allows accessing a generated UUID. It generates that UUID at startup time. So it changes between two starts including in dev mode.
Access this generated UUID using expressions: ${quarkus.uuid}.
File in which the configuration dump should be stored. If not configured, the file-prefix and file-suffix will be used to generate the final file name. If the configured file path is absolute, the directory option will be ignored. Otherwise, the path will be considered relative to the directory.
A list of config properties whose values should be hashed in the report. The values will be hashed using SHA-512 algorithm. GLOB patterns could be used instead of property names.
What should happen if the application is started with a different build time configuration than it was compiled against. This may be useful to prevent misconfiguration.
If this is set to warn the application will warn at start up.
If this is set to fail the application will fail at start up.
Native tests leveraging`@io.quarkus.test.junit.TestProfile` are always run with quarkus.configuration.build-time-mismatch-at-runtime = fail.
Detection mode of invalid usage of execution model annotations.
An execution model annotation is @Blocking, @NonBlocking and @RunOnVirtualThread. These annotations may only be used on "entrypoint" methods (methods invoked by various frameworks in Quarkus); using them on methods that can only be invoked by application code is invalid.
failInvalid usage of execution model annotations causes build failure., warnInvalid usage of execution model annotations causes warning during build., disabledNo detection of invalid usage of execution model annotations.
failInvalid usage of execution model annotations causes build failure.
IDE
Type
Default
quarkus.ide.target
The Ide to use to open files from the DevUI. auto means that Quarkus will attempt to determine the Ide being used.
Environment variable: QUARKUS_IDE_TARGET
Show more
auto, idea, vscode, eclipse, netbeans
auto
Indexing
Type
Default
Artifacts on the classpath that should also be indexed
true to quit exit right after the initialization. The option is not meant be used directly by users.
Environment variable: QUARKUS_INIT_AND_EXIT
Show more
boolean
false
JNI
Type
Default
quarkus.jni.library-paths
Paths of library to load.
Environment variable: QUARKUS_JNI_LIBRARY_PATHS
Show more
list of string
Launch
Type
Default
quarkus.launch.rebuild
If set to true, Quarkus will perform re-augmentation (assuming the mutable-jar package type is used)
Environment variable: QUARKUS_LAUNCH_REBUILD
Show more
boolean
false
Live reload
Type
Default
quarkus.live-reload.enabled
Whether the live-reload feature should be enabled.
Environment variable: QUARKUS_LIVE_RELOAD_ENABLED
Show more
boolean
true
quarkus.live-reload.instrumentation
Whether Quarkus should enable its ability to not do a full restart when changes to classes are compatible with JVM instrumentation. If this is set to true, Quarkus will perform class redefinition when possible.
If console logging should go to System#err instead of System#out.
Environment variable: QUARKUS_LOG_CONSOLE_STDERR
Show more
boolean
false
quarkus.log.console.format
The log format. Note that this value is ignored if an extension is present that takes control of console formatting (e.g., an XML or JSON-format extension).
Specify how much the colors should be darkened. Note that this value is ignored if an extension is present that takes control of console formatting (e.g., an XML or JSON-format extension).
Environment variable: QUARKUS_LOG_CONSOLE_DARKEN
Show more
int
0
quarkus.log.console.filter
The name of the filter to link to the console handler.
Set to true to truncate the message if it exceeds maximum length
Environment variable: QUARKUS_LOG_SYSLOG_TRUNCATE
Show more
boolean
true
quarkus.log.syslog.block-on-reconnect
Enables or disables blocking when attempting to reconnect a org.jboss.logmanager.handlers.SyslogHandler.Protocol#TCP
TCP or org.jboss.logmanager.handlers.SyslogHandler.Protocol#SSL_TCP SSL TCP protocol
The log format. Note that this value is ignored if an extension is present that takes control of console formatting (e.g., an XML or JSON-format extension).
Specify how much the colors should be darkened. Note that this value is ignored if an extension is present that takes control of console formatting (e.g., an XML or JSON-format extension).
Enables or disables blocking when attempting to reconnect a org.jboss.logmanager.handlers.SyslogHandler.Protocol#TCP
TCP or org.jboss.logmanager.handlers.SyslogHandler.Protocol#SSL_TCP SSL TCP protocol
By default, Quarkus will install a non-functional JNDI initial context, to help mitigate against Log4Shell style attacks. If your application does need to use JNDI you can change this flag.
Environment variable: QUARKUS_NAMING_ENABLE_JNDI
Show more
boolean
false
Native executables
Type
Default
quarkus.native.enabled
Set to enable native-image building using GraalVM.
Environment variable: QUARKUS_NATIVE_ENABLED
Show more
boolean
false
quarkus.native.sources-only
Set to prevent the native-image process from actually building the native image.
Environment variable: QUARKUS_NATIVE_SOURCES_ONLY
Show more
boolean
false
quarkus.native.additional-build-args
Comma-separated, additional arguments to pass to the build process. If an argument includes the , symbol, it needs to be escaped, e.g. \\,
The default value for java.awt.headless JVM option. Switching this option affects linking of awt libraries.
Environment variable: QUARKUS_NATIVE_HEADLESS
Show more
boolean
true
quarkus.native.file-encoding
Defines the file encoding as in -Dfile.encoding=…. Native image runtime uses the host’s (i.e. build time) value of file.encoding system property. We intentionally default this to UTF-8 to avoid platform specific defaults to be picked up which can then result in inconsistent behavior in the generated native executable.
If the native image build should wait for a debugger to be attached before running. This is an advanced option and is generally only intended for those familiar with GraalVM internals
If a JVM based 'fallback image' should be created if native image fails. This is not recommended, as this is functionally the same as just running the application in a JVM
If the bytecode of all proxies should be dumped for inspection
Environment variable: QUARKUS_NATIVE_DUMP_PROXIES
Show more
boolean
false
quarkus.native.container-build
If this build should be done using a container runtime. Unless container-runtime is also set, docker will be used by default. If docker is not available or is an alias to podman, podman will be used instead as the default.
Explicit configuration option to generate a native Position Independent Executable (PIE) for Linux. If the system supports PIE generation, the default behaviour is to disable it for performance reasons. However, some systems can only run position-independent executables, so this option enables the generation of such native executables.
Environment variable: QUARKUS_NATIVE_PIE
Show more
boolean
quarkus.native.march
Generate instructions for a specific machine type. Defaults to x86-64-v3 on AMD64 and armv8-a on AArch64. Use compatibility for best compatibility, or native for best performance if a native executable is deployed on the same machine or on a machine with the same CPU features. A list of all available machine types is available by executing native-image -march=list
Environment variable: QUARKUS_NATIVE_MARCH
Show more
string
quarkus.native.remote-container-build
If this build is done using a remote docker daemon.
The docker image to use to do the image build. It can be one of graalvm, mandrel, or the full image path, e.g. quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-21.
The strategy for pulling the builder image during the build.
Defaults to 'always', which will always pull the most up-to-date image; useful to keep up with fixes when a (floating) tag is updated.
Use 'missing' to only pull if there is no image locally; useful on development environments where building with out-of-date images is acceptable and bandwidth may be limited.
Use 'never' to fail the build if there is no image locally.
alwaysAlways pull the most recent image., missingOnly pull the image if it’s missing locally., neverNever pull any image; fail if the image is missing locally.
alwaysAlways pull the most recent image.
quarkus.native.container-runtime
The container runtime (e.g. docker) that is used to do an image based build. If this is set then a container build is always done.
If errors should be reported at runtime. This is a more relaxed setting, however it is not recommended as it means your application may fail at runtime if an unsupported feature is used by accident. Note that the use of this flag may result in build time failures due to `ClassNotFoundException`s. Reason most likely being that the Quarkus extension already optimized it away or do not actually need it. In such cases you should explicitly add the corresponding dependency providing the missing classes as a dependency to your project.
Don’t build a native image if it already exists. This is useful if you have already built an image and you want to use Quarkus to deploy it somewhere. Note that this is not able to detect if the existing image is outdated, if you have modified source or config and want a new image you must not use this flag.
A comma separated list of globs to match resource paths that should be added to the native image.
Use slash (/) as a path separator on all platforms. Globs must not start with slash.
By default, no resources are included.
Example: Given that you have src/main/resources/ignored.png and src/main/resources/foo/selected.png in your source tree and one of your dependency JARs contains bar/some.txt file, with the following configuration
the files src/main/resources/foo/selected.png and bar/some.txt will be included in the native image, while src/main/resources/ignored.png will not be included.
Supported glob features Feature Description * Matches a (possibly empty) sequence of characters that does not contain slash (/) ** Matches a (possibly empty) sequence of characters that may contain slash (/) ? Matches one character, but not slash [abc] Matches one character given in the bracket, but not slash [a-z] Matches one character from the range given in the bracket, but not slash [!abc] Matches one character not named in the bracket; does not match slash [a-z] Matches one character outside the range given in the bracket; does not match slash {one,two,three} Matches any of the alternating tokens separated by comma; the tokens may contain wildcards, nested alternations and ranges \ The escape character
Note that there are three levels of escaping when passing this option via application.properties:
application.properties parser
MicroProfile Config list converter that splits the comma separated list
Glob parser All three levels use backslash (\) as the escaping character. So you need to use an appropriate number of backslashes depending on which level you want to escape.
Note that Quarkus extensions typically include the resources they require by themselves. This option is useful in situations when the built-in functionality is not sufficient.
A comma separated list of globs to match resource paths that should not be added to the native image.
Use slash (/) as a path separator on all platforms. Globs must not start with slash.
Please refer to includes for details about the glob syntax.
By default, no resources are excluded.
Example: Given that you have src/main/resources/red.png and src/main/resources/foo/green.png in your source tree and one of your dependency JARs contains bar/blue.png file, with the following configuration
the resource red.png will be available in the native image while the resources foo/green.png and bar/blue.png will not be available in the native image.
Allows passing extra arguments to the UPX command line (like --brute). The arguments are comma-separated. The exhaustive list of parameters can be found in https://github.com/upx/upx/blob/devel/doc/upx.pod.
Configuration files generated by the Quarkus build, using native image agent, are informative by default. In other words, the generated configuration files are presented in the build log but are not applied. When this option is set to true, generated configuration files are applied to the native executable building process.
Enabling this option should be done with care, because it can make native image configuration and/or behaviour dependant on other non-obvious factors. For example, if the native image agent generated configuration was generated from running JVM unit tests, disabling test(s) can result in a different native image configuration being generated, which in turn can misconfigure the native executable or affect its behaviour in unintended ways.
fast-jarThe "fast JAR" packaging type., uber-jarThe "Uber-JAR" packaging type., mutable-jarThe "mutable JAR" packaging type (for remote development mode)., legacy-jarThe "legacy JAR" packaging type. This corresponds to the packaging type used in Quarkus before version 1.12.
fast-jarThe "fast JAR" packaging type.
quarkus.package.jar.compress
Whether the created jar will be compressed. This setting is not used when building a native image
Custom manifest attributes to be added to the main section of the MANIFEST.MF file. An example of the user defined property: quarkus.package.jar.manifest.attributes."Entry-key1"=Value1 quarkus.package.jar.manifest.attributes."Entry-key2"=Value2
Custom manifest sections to be added to the MANIFEST.MF file. An example of the user defined property: quarkus.package.jar.manifest.sections."Section-Name"."Entry-Key1"=Value1 quarkus.package.jar.manifest.sections."Section-Name"."Entry-Key2"=Value2
List of all the dependencies that have been defined as optional to include into the final package of the application. Each optional dependency needs to be expressed in the following format:
groupId:artifactId[:[classifier][:[type]]]
With the classifier and type being optional (note that the brackets ([]) denote optionality and are not a part of the syntax specification). The group ID and artifact ID must be present and non-empty.
If the type is missing, the artifact is assumed to be of type jar.
This parameter is optional; if absent, no optional dependencies will be included into the final package of the application.
For backward compatibility reasons, this parameter is ignored by default and can be enabled by setting the parameter quarkus.package.jar.filter-optional-dependencies to true.
This parameter is meant to be used in modules where multi-builds have been configured to avoid getting a final package with unused dependencies.
Indicates whether the generated JAR file should have the runner suffix appended. Only applicable to the JarType#UBER_JAR uber-JAR output type. If disabled, the JAR built by the original build system (Maven, Gradle, etc.) will be replaced with the Quarkus-built uber-JAR.
Whether to automate the creation of AppCDS. Furthermore, this option only works for Java 11+ and is considered experimental for the time being. Finally, care must be taken to use the same exact JVM version when building and running the application.
When AppCDS generation is enabled, if this property is set, then the JVM used to generate the AppCDS file will be the JVM present in the container image. The builder image is expected to have the 'java' binary on its PATH. This flag is useful when the JVM to be used at runtime is not the same exact JVM version as the one used to build the jar. Note that this property is consulted only when quarkus.package.jar.appcds.enabled=true and it requires having docker available during the build.
Whether creation of the AppCDS archive should run in a container if available.
Normally, if either a suitable container image to use to create the AppCDS archive can be determined automatically or if one is explicitly set using the quarkus.<package-type>.appcds.builder-image setting, the AppCDS archive is generated by running the JDK contained in the image as a container.
If this option is set to false, a container will not be used to generate the AppCDS archive. Instead, the JDK used to build the application is also used to create the archive. Note that the exact same JDK version must be used to run the application in this case.
Ignored if quarkus.package.jar.appcds.enabled is set to false.
This is an advanced option that only takes effect for development mode.
If this is specified a directory of this name will be created in the jar distribution. Users can place jar files in this directory, and when re-augmentation is performed these will be processed and added to the class-path.
Note that before reaugmentation has been performed these jars will be ignored, and if they are updated the app should be reaugmented again.
If this option is true then a list of all the coordinates of the artifacts that made up this image will be included in the quarkus-app directory. This list can be used by vulnerability scanners to determine if your application has any vulnerable dependencies. Only supported for the JarType#FAST_JAR fast JAR and JarType#MUTABLE_JAR mutable JAR output types.
The entry point of the application. This can either be a fully qualified name of a standard Java class with a main method, or io.quarkus.runtime.QuarkusApplication.
If your application has main classes annotated with io.quarkus.runtime.annotations.QuarkusMain then this can also reference the name given in the annotation, to avoid the need to specify fully qualified names in the config.
Environment variable: QUARKUS_PACKAGE_MAIN_CLASS
Show more
string
quarkus.package.output-directory
The directory into which the output package(s) should be written. Relative paths are resolved from the build systems target directory.
Setting this switch to true will cause Quarkus to write the transformed application bytecode to the build tool’s output directory. This is useful for post-build tools that need to scan the application bytecode (for example, offline code-coverage tools).
For example, if using Maven, enabling this feature will result in the classes in target/classes being replaced with classes that have been transformed by Quarkus.
Setting this to true, however, should be done with a lot of caution and only if subsequent builds are done in a clean environment (i.e. the build tool’s output directory has been completely cleaned).
Whether Quarkus should wait between shutdown being requested and actually initiated. This delay gives the infrastructure time to detect that the application instance is shutting down and stop routing traffic to it.
The timeout to wait for running requests to finish. If this is not set then the application will exit immediately. Setting this timeout will incur a small performance penalty, as it requires active requests to be tracked.
Delay between shutdown being requested and actually initiated. Also called the pre-shutdown phase. In pre-shutdown, the server continues working as usual, except a readiness probe starts reporting "down" (if the smallrye-health extension is present). This gives the infrastructure time to detect that the application instance is shutting down and stop routing traffic to it. Notice that this property will only take effect if quarkus.shutdown.delay-enabled is explicitly set to true.
Default value is dependent on extensions deployed (i.e. when using AWS Lambda extensions, this will be set to true by default)
Environment variable: QUARKUS_SNAPSTART_ENABLE
Show more
boolean
quarkus.snapstart.preload-classes
Will do a classpath search for all META-INF/quarkus-preload-classes.txt files These files contain fully qualified classnames that should be loaded in the SnapStart/CRaC beforeCheckpoint() phase.
Start the full application during the snapshotting process. In other words, when enabled, it performs Application.start() within SnapStart/CRaC beforeCheckpoint() phase.
If continuous testing is enabled. The default value is 'paused', which will allow you to start testing from the console or the Dev UI, but will not run tests on startup. If this is set to 'enabled' then testing will start as soon as the application has started. If this is 'disabled' then continuous testing is not enabled, and can’t be enabled without restarting the application.
Tags that should be included for continuous testing. This supports JUnit Tag Expressions.
Environment variable: QUARKUS_TEST_INCLUDE_TAGS
Show more
list of string
quarkus.test.exclude-tags
Tags that should be excluded by default with continuous testing. This is ignored if include-tags has been set. Defaults to 'slow'. This supports JUnit Tag Expressions.
Environment variable: QUARKUS_TEST_EXCLUDE_TAGS
Show more
list of string
slow
quarkus.test.include-pattern
Tests that should be included for continuous testing. This is a regular expression and is matched against the test class name (not the file name).
Tests that should be excluded with continuous testing. This is a regular expression and is matched against the test class name (not the file name). This is ignored if include-pattern has been set.
Changes tests to use the 'flat' ClassPath used in Quarkus 1.x versions. This means all Quarkus and test classes are loaded in the same ClassLoader, however it means you cannot use continuous testing. Note that if you find this necessary for your application then you may also have problems running in development mode, which cannot use a flat class path.
A comma separated list of profiles (dev, test, prod or custom profiles) to use when testing using @QuarkusTest
Environment variable: QUARKUS_TEST_PROFILE
Show more
list of string
test
quarkus.test.profile.tags
The tags this profile is associated with. When the quarkus.test.profile.tags System property is set (its value is a comma separated list of strings) then Quarkus will only execute tests that are annotated with a @TestProfile that has at least one of the supplied (via the aforementioned system property) tags.
Environment variable: QUARKUS_TEST_PROFILE_TAGS
Show more
list of string
quarkus.test.container.network
Controls the container network to be used when @QuarkusIntegration needs to launch the application in a container. This setting only applies if Quarkus does not need to use a shared network - which is the case if DevServices are used when running the test.
Additional launch parameters to be used when Quarkus launches the produced artifact for @QuarkusIntegrationTest When the artifact is a jar, this string is passed right after the java command. When the artifact is a container, this string is passed right after the docker run command. When the artifact is a native binary, this string is passed right after the native binary name.
Environment variable: QUARKUS_TEST_ARG_LINE
Show more
list of string
quarkus.test.env."environment-variable-name"
Additional environment variables to be set in the process that @QuarkusIntegrationTest launches.
Configures the hang detection in @QuarkusTest. If no activity happens (i.e. no test callbacks are called) over this period then QuarkusTest will dump all threads stack traces, to help diagnose a potential hang. Note that the initial timeout (before Quarkus has started) will only apply if provided by a system property, as it is not possible to read all config sources until Quarkus has booted.
The type of test to run, this can be either: quarkus-test: Only runs @QuarkusTest annotated test classes unit: Only runs classes that are not annotated with @QuarkusTest all: Runs both, running the unit tests first
Environment variable: QUARKUS_TEST_TYPE
Show more
unit, quarkus-test, all
all
quarkus.test.only-test-application-module
If this is true then only the tests from the main application module will be run (i.e. the module that is currently running mvn quarkus:dev). If this is false then tests from all dependency modules will be run as well.
Modules that should be excluded for continuous testing. This is a regular expression and is matched against the module groupId:artifactId. This is ignored if include-module-pattern has been set.
Prefill core thread pool. The core thread pool will be initialised with the core number of threads at startup
Environment variable: QUARKUS_THREAD_POOL_PREFILL
Show more
boolean
true
quarkus.thread-pool.max-threads
The maximum number of threads. If this is not specified then it will be automatically sized to the greatest of 8 * the number of available processors and 200. For example if there are 4 processors the max threads will be 200. If there are 48 processors it will be 384.
The executor growth resistance. A resistance factor applied after the core pool is full; values applied here will cause that fraction of submissions to create new threads when no idle thread is available. A value of 0.0f implies that threads beyond the core size should be created as aggressively as threads within it; a value of 1.0f implies that threads beyond the core size should never be created.
The shutdown timeout. If all pending work has not been completed by this time then additional threads will be spawned to attempt to finish any pending tasks, and the shutdown process will continue
The amount of time to wait for thread pool shutdown before tasks should be interrupted. If this value is greater than or equal to the value for shutdown-timeout, then tasks will not be interrupted before the shutdown timeout occurs.
The frequency at which the status of the thread pool should be checked during shutdown. Information about waiting tasks and threads will be checked and possibly logged at this interval. Setting this key to an empty value disables the shutdown check interval.
SBOM file format. Supported formats are {code json} and {code xml}. The default format is JSON. If both are desired then all could be used as the value of this option.
Environment variable: QUARKUS_CYCLONEDX_FORMAT
Show more
string
json
quarkus.cyclonedx.schema-version
CycloneDX specification version. The default value be the latest supported by the integrated CycloneDX library.
Whether or not datasource metrics are published in case a metrics extension is present.
This is a global setting and is not specific to a datasource.
This is different from the "jdbc.enable-metrics" property that needs to be set on the JDBC datasource level to enable collection of metrics for that datasource.
The kind of database we will connect to (e.g. h2, postgresql…).
Environment variable: QUARKUS_DATASOURCE_DB_KIND
Show more
string
quarkus.datasource.db-version
quarkus.datasource."datasource-name".db-version
The version of the database we will connect to (e.g. '10.0').
The version number set here should follow the same numbering scheme
as the string returned by java.sql.DatabaseMetaData#getDatabaseProductVersion()
for your database’s JDBC driver.
This numbering scheme may be different from the most popular one for your database;
for example Microsoft SQL Server 2016 would be version 13.
As a rule, the version set here should be as high as possible,
but must be lower than or equal to the version of any database your application will connect to.
A high version will allow better performance and using more features
(e.g. Hibernate ORM may generate more efficient SQL,
avoid workarounds and take advantage of more database features),
but if it is higher than the version of the database you want to connect to,
it may lead to runtime exceptions
(e.g. Hibernate ORM may generate invalid SQL that your database will reject).
Some extensions (like the Hibernate ORM extension)
will try to check this version against the actual database version on startup,
leading to a startup failure when the actual version is lower
or simply a warning in case the database cannot be reached.
The default for this property is specific to each extension;
the Hibernate ORM extension will default to the oldest version it supports.
If the datasource is not active, it won’t start with the application,
and accessing the corresponding Datasource CDI bean will fail,
meaning in particular that consumers of this datasource
(e.g. Hibernate ORM persistence units) will fail to start unless they are inactive too.
This is a bean name (as in @Named) of a bean that implements CredentialsProvider. It is used to select the credentials provider bean when multiple exist. This is unnecessary when there is only one credentials provider available.
For Vault, the credentials provider bean name is vault-credentials-provider.
The map key corresponds to the host location; the map value is the container location. If the host location starts with "classpath:", the mapping loads the resource from the classpath with read-only permission.
When using a file system location, the volume will be generated with read-write permission, potentially leading to data loss or modification in your file system.
This has no effect if the provider is not a container-based database, such as H2 or Derby.
Whether to keep Dev Service containers running after a dev mode session or test suite execution
to reuse them in the next dev mode session or test suite execution.
Within a dev mode session or test suite execution,
Quarkus will always reuse Dev Services as long as their configuration
(username, password, environment, port bindings, …) did not change.
This feature is specifically about keeping containers running
when Quarkus is not running to reuse them across runs.
This feature needs to be enabled explicitly in testcontainers.properties,
may require changes to how you configure data initialization in dev mode and tests,
and may leave containers running indefinitely, forcing you to stop and remove them manually.
See this section of the documentation for more information.
This configuration property is set to true by default,
so it is mostly useful to disable reuse,
if you enabled it in testcontainers.properties
but only want to use it for some of your Quarkus applications or datasources.
More hosts allowed for Dev UI Comma separated list of valid URLs, e.g.: www.quarkus.io, myhost.com (This can also be a regex) By default localhost and 127.0.0.1 will always be allowed
Environment variable: QUARKUS_DEV_UI_HOSTS
Show more
list of string
quarkus.dev-ui.cors.enabled
Enable CORS filter.
Environment variable: QUARKUS_DEV_UI_CORS_ENABLED
Show more
boolean
true
quarkus.http.root-path
The HTTP root path. All web content will be served relative to this root path.
Environment variable: QUARKUS_HTTP_ROOT_PATH
Show more
string
/
quarkus.http.auth.basic
If basic auth should be enabled. If both basic and form auth is enabled then basic auth will be enabled in silent mode. The basic auth is enabled by default if no authentication mechanisms are configured or Quarkus can safely determine that basic authentication is required.
If this is true and credentials are present then a user will always be authenticated before the request progresses. If this is false then an attempt will only be made to authenticate the user if a permission check is performed or the current user is required for some other reason.
Environment variable: QUARKUS_HTTP_AUTH_PROACTIVE
Show more
boolean
true
quarkus.http.auth.inclusive
Require that all registered HTTP authentication mechanisms must complete the authentication.
Typically, this property has to be true when the credentials are carried over mTLS, when both mTLS and another authentication, for example, OIDC bearer token authentication, must succeed. In such cases, SecurityIdentity created by the first mechanism, mTLS, can be injected, identities created by other mechanisms will be available on SecurityIdentity. The identities can be retrieved using utility method as in the example below:
This property is false by default which means that the authentication process is complete as soon as the first SecurityIdentity is created.
This property will be ignored if the path specific authentication is enabled.
Environment variable: QUARKUS_HTTP_AUTH_INCLUSIVE
Show more
boolean
false
quarkus.http.ssl.client-auth
Configures the engine to require/request client authentication. NONE, REQUEST, REQUIRED.
When set to REQUIRED, it’s recommended to also set quarkus.http.insecure-requests=disabled to disable the plain HTTP port. If quarkus.http.insecure-requests is not set, but this parameter is set to REQUIRED, then, quarkus.http.insecure-requests is automatically set to disabled.
If this is true then only a virtual channel will be set up for vertx web. We have this switch for testing purposes.
Environment variable: QUARKUS_HTTP_VIRTUAL
Show more
boolean
false
quarkus.http.non-application-root-path
A common root path for non-application endpoints. Various extension-provided endpoints such as metrics, health,
and openapi are deployed under this path by default.
<p>
* Relative path (Default, q) →
Non-application endpoints will be served from
${quarkus.http.root-path}/${quarkus.http.non-application-root-path}.
* Absolute path (/q) →
Non-application endpoints will be served from the specified path.
* ${quarkus.http.root-path} → Setting this path to the same value as HTTP root path disables
this root path. All extension-provided endpoints will be served from ${quarkus.http.root-path}.
<p>
If the management interface is enabled, the root path for the endpoints exposed on the management interface
is configured using the quarkus.management.root-path property instead of this property.
If enabled then the response body is compressed if the Content-Type header is set and the value is a compressed media type as configured via compress-media-types.
Note that the RESTEasy Reactive and Reactive Routes extensions also make it possible to enable/disable compression declaratively using the annotations io.quarkus.vertx.http.Compressed and io.quarkus.vertx.http.Uncompressed.
If user adds br, then brotli will be added to the list of supported compression algorithms. It implies loading libbrotli native library via JNI and in case of native image, packing the native library into the native image as a resource thus inflating its size. Note that a native shared object library must be available for your platform in Brotli4J project.
Client expresses its capability by sending Accept-Encoding header, e.g. Accept-Encoding: deflate, gzip, br Server chooses the compression algorithm based on the client’s capabilities and marks it in a response header, e.g.: content-encoding: gzip
Environment variable: QUARKUS_HTTP_COMPRESSORS
Show more
list of string
gzip,deflate
quarkus.http.compress-media-types
List of media types for which the compression should be enabled automatically, unless declared explicitly via Compressed or Uncompressed.
In dev/test mode this defaults to localhost, in prod mode this defaults to 0.0.0.0
Defaulting to 0.0.0.0 makes it easier to deploy Quarkus to container, however it is not suitable for dev/test mode as other people on the network can connect to your development machine.
As an exception, when running in Windows Subsystem for Linux (WSL), the HTTP host defaults to 0.0.0.0 even in dev/test mode since using localhost makes the application inaccessible.
Environment variable: QUARKUS_HTTP_HOST
Show more
string
required
quarkus.http.test-host
Used when QuarkusIntegrationTest is meant to execute against an application that is already running and listening on the host specified by this property.
Environment variable: QUARKUS_HTTP_TEST_HOST
Show more
string
quarkus.http.host-enabled
Enable listening to host:port
Environment variable: QUARKUS_HTTP_HOST_ENABLED
Show more
boolean
true
quarkus.http.ssl-port
The HTTPS port
Environment variable: QUARKUS_HTTP_SSL_PORT
Show more
int
8443
quarkus.http.test-ssl-port
The HTTPS port used to run tests
Environment variable: QUARKUS_HTTP_TEST_SSL_PORT
Show more
int
8444
quarkus.http.test-ssl-enabled
Used when QuarkusIntegrationTest is meant to execute against an application that is already running to configure the test to use SSL.
If insecure (i.e. http rather than https) requests are allowed. If this is enabled then http works as normal. redirect will still open the http port, but all requests will be redirected to the HTTPS port. disabled will prevent the HTTP port from opening at all.
Default is enabled except when client auth is set to required (configured using quarkus.http.ssl.client-auth=required). In this case, the default is disabled.
If this is true (the default) then HTTP/2 will be enabled.
Note that for browsers to be able to use it HTTPS must be enabled, and you must be running on JDK11 or above, as JDK8 does not support ALPN.
Environment variable: QUARKUS_HTTP_HTTP2
Show more
boolean
true
quarkus.http.http2-push-enabled
Enables or Disable the HTTP/2 Push feature. This setting can be used to disable server push. The server will not send a PUSH_PROMISE frame if it receives this parameter set to @{code false}.
The CredentialsProvider. If this property is configured, then a matching 'CredentialsProvider' will be used to get the keystore, keystore key, and truststore passwords unless these passwords have already been configured.
Please note that using MicroProfile ConfigSource which is directly supported by Quarkus Configuration should be preferred unless using CredentialsProvider provides for some additional security and dynamism.
This is a bean name (as in @Named) of a bean that implements CredentialsProvider. It is used to select the credentials provider bean when multiple exist. This is unnecessary when there is only one credentials provider available.
For Vault, the credentials provider bean name is vault-credentials-provider.
An optional parameter to specify a provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type.
An optional parameter to select a specific key in the keystore. When SNI is disabled, and the keystore contains multiple keys and no alias is specified; the behavior is undefined.
An optional parameter to define the password for the key, in case it is different from key-store-password If not given, it might be retrieved from CredentialsProvider.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
When set, the configured certificate will be reloaded after the given period. Note that the certificate will be reloaded only if the file has been modified.
Also, the update can also occur when the TLS certificate is configured using paths (and not in-memory).
The reload period must be equal or greater than 30 seconds. If not set, the certificate will not be reloaded.
It’s recommended to use the TLS registry to handle the certificate reloading.
Sets the ordered list of enabled SSL/TLS protocols.
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
Note that setting an empty list, and enabling SSL/TLS is invalid. You must at least have one protocol.
Environment variable: QUARKUS_HTTP_SSL_PROTOCOLS
Show more
list of string
TLSv1.3,TLSv1.2
quarkus.http.ssl.sni
Enables Server Name Indication (SNI), an TLS extension allowing the server to use multiple certificates. The client indicate the server name during the TLS handshake, allowing the server to select the right certificate.
Environment variable: QUARKUS_HTTP_SSL_SNI
Show more
boolean
false
quarkus.http.tls-configuration-name
The name of the TLS configuration to use.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration is set, and quarkus.tls.* is not configured, then, quarkus.http.ssl will be used.
The number if IO threads used to perform IO. This will be automatically set to a reasonable value based on the number of CPU cores if it is not provided. If this is set to a higher value than the number of Vert.x event loops then it will be capped at the number of event loops.
In general this should be controlled by setting quarkus.vertx.event-loops-pool-size, this setting should only be used if you want to limit the number of HTTP io threads to a smaller number than the total number of IO threads.
Http connection read timeout for blocking IO. This is the maximum amount of time a thread will wait for data, before an IOException will be thrown and the connection closed.
Whether the files sent using multipart/form-data will be stored locally.
If true, they will be stored in quarkus.http.body-handler.uploads-directory and will be made available via io.vertx.ext.web.RoutingContext.fileUploads(). Otherwise, the files sent using multipart/form-data will not be stored locally, and io.vertx.ext.web.RoutingContext.fileUploads() will always return an empty collection. Note that even with this option being set to false, the multipart/form-data requests will be accepted.
Whether the uploaded files should be removed after serving the request.
If true the uploaded files stored in quarkus.http.body-handler.uploads-directory will be removed after handling the request. Otherwise, the files will be left there forever.
Whether the body buffer should pre-allocated based on the Content-Length header value.
If true the body buffer is pre-allocated according to the size read from the Content-Length header. Otherwise, the body buffer is pre-allocated to 1KB, and is resized dynamically
A comma-separated list of ContentType to indicate whether a given multipart field should be handled as a file part. You can use this setting to force HTTP-based extensions to parse a message part as a file based on its content type. For now, this setting only works when using RESTEasy Reactive.
The encryption key that is used to store persistent logins (e.g. for form auth). Logins are stored in a persistent cookie that is encrypted with AES-256 using a key derived from a SHA-256 hash of the key that is provided here.
If no key is provided then an in-memory one will be generated, this will change on every restart though so it is not suitable for production environments. This must be more than 16 characters long for security reasons
Enable socket reuse port (linux/macOs native transport only)
Environment variable: QUARKUS_HTTP_SO_REUSE_PORT
Show more
boolean
false
quarkus.http.tcp-quick-ack
Enable tcp quick ack (linux native transport only)
Environment variable: QUARKUS_HTTP_TCP_QUICK_ACK
Show more
boolean
false
quarkus.http.tcp-cork
Enable tcp cork (linux native transport only)
Environment variable: QUARKUS_HTTP_TCP_CORK
Show more
boolean
false
quarkus.http.tcp-fast-open
Enable tcp fast open (linux native transport only)
Environment variable: QUARKUS_HTTP_TCP_FAST_OPEN
Show more
boolean
false
quarkus.http.accept-backlog
The accept backlog, this is how many connections can be waiting to be accepted before connections start being rejected
Environment variable: QUARKUS_HTTP_ACCEPT_BACKLOG
Show more
int
-1
quarkus.http.initial-window-size
Set the SETTINGS_INITIAL_WINDOW_SIZE HTTP/2 setting. Indicates the sender’s initial window size (in octets) for stream-level flow control. The initial value is 2^16-1 (65,535) octets.
Provides a hint (optional) for the default content type of responses generated for the errors not handled by the application.
If the client requested a supported content-type in request headers (e.g. "Accept: application/json", "Accept: text/html"), Quarkus will use that content type.
Otherwise, it will default to the content type configured here.
The HTTP policy that this permission set is linked to. There are three built-in policies: permit, deny and authenticated. Role based policies can be defined, and extensions can add their own policies.
The methods that this permission set applies to. If this is not set then they apply to all methods. Note that if a request matches any path from any permission set, but does not match the constraint due to the method not being listed then the request will be denied. Method specific permissions take precedence over matches that do not have any methods set. This means that for example if Quarkus is configured to allow GET and POST requests to /admin to and no other permissions are configured PUT requests to /admin will be denied.
The paths that this permission check applies to. If the path ends in /* then this is treated as a path prefix, otherwise it is treated as an exact match. Matches are done on a length basis, so the most specific path match takes precedence. If multiple permission sets match the same path then explicit methods matches take precedence over matches without methods set, otherwise the most restrictive permissions are applied.
Path specific authentication mechanism which must be used to authenticate a user. It needs to match HttpCredentialTransport authentication scheme such as 'basic', 'bearer', 'form', etc.
Indicates that this policy always applies to the matched paths in addition to the policy with a winning path. Avoid creating more than one shared policy to minimize the performance impact.
allApply on all matching paths., jaxrsDeclares that a permission check must only be applied on the Jakarta REST request paths. Use this option to delay the permission check if an authentication mechanism is chosen with an annotation on the matching Jakarta REST endpoint. This option must be set if the following REST endpoint annotations are used\: - io.quarkus.oidc.Tenant annotation which selects an OIDC authentication mechanism with a tenant identifier - io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication which selects the Basic authentication mechanism - io.quarkus.vertx.http.runtime.security.annotation.FormAuthentication which selects the Form-based authentication mechanism - io.quarkus.vertx.http.runtime.security.annotation.MTLSAuthentication which selects the mTLS authentication mechanism - io.quarkus.security.webauthn.WebAuthn which selects the WebAuth authentication mechanism - io.quarkus.oidc.BearerTokenAuthentication which selects the OpenID Connect Bearer token authentication mechanism - io.quarkus.oidc.AuthorizationCodeFlow which selects the OpenID Connect Code authentication mechanism
Add roles granted to the SecurityIdentity based on the roles that the SecurityIdentity already have. For example, the Quarkus OIDC extension can map roles from the verified JWT access token, and you may want to remap them to a deployment specific roles.
Permissions granted to the SecurityIdentity if this policy is applied successfully (the policy allows request to proceed) and the authenticated request has required role. For example, you can map permission perm1 with actions action1 and action2 to role admin by setting quarkus.http.auth.policy.role-policy1.permissions.admin=perm1:action1,perm1:action2 configuration property. Granted permissions are used for authorization with the @PermissionsAllowed annotation.
Permissions granted by this policy will be created with a java.security.Permission implementation specified by this configuration property. The permission class must declare exactly one constructor that accepts permission name (String) or permission name and actions (String, String[]). Permission class must be registered for reflection if you run your application in a native mode.
Map the SecurityIdentity roles to deployment specific roles and add the matching roles to SecurityIdentity.
For example, if SecurityIdentity has a user role and the endpoint is secured with a 'UserRole' role, use this property to map the user role to the UserRole role, and have SecurityIdentity to have both user and UserRole roles.
Client certificate attribute whose values are going to be mapped to the 'SecurityIdentity' roles according to the roles mapping specified in the certificate properties file. The attribute must be either one of the Relative Distinguished Names (RDNs) or Subject Alternative Names (SANs). By default, the Common Name (CN) attribute value is used for roles mapping. Supported values are:
RDN type - Distinguished Name field. For example 'CN' represents Common Name field. Multivalued RNDs and multiple instances of the same attributes are currently not supported.
'SAN_RFC822' - Subject Alternative Name field RFC 822 Name.
'SAN_URI' - Subject Alternative Name field Uniform Resource Identifier (URI).
'SAN_ANY' - Subject Alternative Name field Other Name. Please note that only simple case of UTF8 identifier mapping is supported. For example, you can map 'other-identifier' to the SecurityIdentity roles. If you use 'openssl' tool, supported Other name definition would look like this: subjectAltName=otherName:1.2.3.4;UTF8:other-identifier
Properties file containing the client certificate attribute value to role mappings. Use it only if the mTLS authentication mechanism is enabled with either quarkus.http.ssl.client-auth=required or quarkus.http.ssl.client-auth=request.
Properties file is expected to have the CN_VALUE=role1,role,…,roleN format and should be encoded using UTF-8.
The landing page to redirect to if there is no saved page to redirect back to. Redirect to landing page can be disabled by setting quarkus.http.auth.form.landing-page=.
How old a cookie can get before it will be replaced with a new cookie with an updated timeout, also referred to as "renewal-timeout". Note that smaller values will result in slightly more server load (as new encrypted cookies will be generated more often); however, larger values affect the inactivity timeout because the timeout is set when a cookie is generated. For example if this is set to 10 minutes, and the inactivity timeout is 30m, if a user’s last request is when the cookie is 9m old then the actual timeout will happen 21m after the last request because the timeout is only refreshed when a new cookie is generated. That is, no timeout is tracked on the server side; the timestamp is encoded and encrypted in the cookie itself, and it is decrypted and parsed with each request.
Max-Age attribute for the session cookie. This is the amount of time the browser will keep the cookie. The default value is empty, which means the cookie will be kept until the browser is closed.
Origins allowed for CORS Comma separated list of valid URLs, e.g.: http://www.quarkus.io,http://localhost:3000 In case an entry of the list is surrounded by forward slashes, it is interpreted as a regular expression.
Environment variable: QUARKUS_HTTP_CORS_ORIGINS
Show more
list of string
quarkus.http.cors.methods
HTTP methods allowed for CORS Comma separated list of valid methods. ex: GET,PUT,POST The filter allows any method if this is not set. default: returns any requested method as valid
Environment variable: QUARKUS_HTTP_CORS_METHODS
Show more
list of string
quarkus.http.cors.headers
HTTP headers allowed for CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition The filter allows any header if this is not set. default: returns any requested header as valid
Environment variable: QUARKUS_HTTP_CORS_HEADERS
Show more
list of string
quarkus.http.cors.exposed-headers
HTTP headers exposed in CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition default: empty
The Access-Control-Allow-Credentials header is used to tell the browsers to expose the response to front-end JavaScript code when the request’s credentials mode Request.credentials is “include”. The value of this header will default to true if quarkus.http.cors.origins property is set and there is a match with the precise Origin header.
Set the SETTINGS_HEADER_TABLE_SIZE HTTP/2 setting.
Allows the sender to inform the remote endpoint of the maximum size of the header compression table used to decode header blocks, in octets. The encoder can select any size equal to or less than this value by using signaling specific to the header compression format inside a header block. The initial value is 4,096 octets.
Set SETTINGS_MAX_CONCURRENT_STREAMS HTTP/2 setting.
Indicates the maximum number of concurrent streams that the sender will allow. This limit is directional: it applies to the number of streams that the sender permits the receiver to create. Initially, there is no limit to this value. It is recommended that this value be no smaller than 100, to not unnecessarily limit parallelism.
Set the SETTINGS_MAX_FRAME_SIZE HTTP/2 setting. Indicates the size of the largest frame payload that the sender is willing to receive, in octets. The initial value is 2^14 (16,384) octets.
Set the SETTINGS_MAX_HEADER_LIST_SIZE HTTP/2 setting. This advisory setting informs a peer of the maximum size of header list that the sender is prepared to accept, in octets. The value is based on the uncompressed size of header fields, including the length of the name and value in octets plus an overhead of 32 octets for each header field. The default value is 8192
Set the max number of RST frame allowed per time window, this is used to prevent HTTP/2 RST frame flood DDOS attacks. The default value is 200, setting zero or a negative value, disables flood protection.
Set the duration of the time window when checking the max number of RST frames, this is used to prevent HTTP/2 RST frame flood DDOS attacks.. The default value is 30 s, setting zero or a negative value, disables flood protection.
Set the delay between two computations of performances for channels. If set to 0, no stats are computed. Despite 0 is accepted (no accounting), it is recommended to set a positive value for the check interval, even if it is high since the precision of the traffic shaping depends on the period where the traffic is computed. In this case, a suggested value is something close to 5 or 10 minutes.
Set the maximum global write size in bytes per second allowed in the buffer globally for all channels before write are suspended. The default value is 400 MB.
Set whether the server should use the HA PROXY protocol when serving requests from behind a proxy. (see the PROXY Protocol). When set to true, the remote address returned will be the one from the actual connecting client. If it is set to false (default), the remote address returned will be the one from the proxy.
If this is true then the address, scheme etc. will be set from headers forwarded by the proxy server, such as X-Forwarded-For. This should only be set if you are behind a proxy that sets these headers.
If this is true and proxy address forwarding is enabled then the standard Forwarded header will be used. In case the not standard X-Forwarded-For header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-x-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
If either this or allow-forwarded are true and proxy address forwarding is enabled then the not standard Forwarded header will be used. In case the standard Forwarded header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
Configure the list of trusted proxy addresses. Received Forwarded, X-Forwarded or X-Forwarded-* headers from any other proxy address will be ignored. The trusted proxy address should be specified as the IP address (IPv4 or IPv6), hostname or Classless Inter-Domain Routing (CIDR) notation. Please note that Quarkus needs to perform DNS lookup for all hostnames during the request. For that reason, using hostnames is not recommended.
Examples of a socket address in the form of host or host:port:
127.0.0.1:8084
[0:0:0:0:0:0:0:1]
[0:0:0:0:0:0:0:1]:8084
[::]
localhost
localhost:8084
Examples of a CIDR notation:
::/128
::/0
127.0.0.0/8
Please bear in mind that IPv4 CIDR won’t match request sent from the IPv6 address and the other way around.
Enables / Disables the usage of a separate interface/port to expose the management endpoints. If sets to true, the management endpoints will be exposed to a different HTTP server. This avoids exposing the management endpoints on a publicly available server.
If this is true and credentials are present then a user will always be authenticated before the request progresses. If this is false then an attempt will only be made to authenticate the user if a permission check is performed or the current user is required for some other reason.
A common root path for management endpoints. Various extension-provided management endpoints such as metrics and health are deployed under this path by default.
Note that this will attempt to compress all responses, to avoid compressing already compressed content (such as images) you need to set the following header:
Content-Encoding: identity
Which will tell vert.x not to compress the response.
Map the SecurityIdentity roles to deployment specific roles and add the matching roles to SecurityIdentity.
For example, if SecurityIdentity has a user role and the endpoint is secured with a 'UserRole' role, use this property to map the user role to the UserRole role, and have SecurityIdentity to have both user and UserRole roles.
Defaulting to 0.0.0.0 makes it easier to deploy Quarkus to container, however it is not suitable for dev/test mode as other people on the network can connect to your development machine.
The CredentialsProvider. If this property is configured, then a matching 'CredentialsProvider' will be used to get the keystore, keystore key, and truststore passwords unless these passwords have already been configured.
Please note that using MicroProfile ConfigSource which is directly supported by Quarkus Configuration should be preferred unless using CredentialsProvider provides for some additional security and dynamism.
This is a bean name (as in @Named) of a bean that implements CredentialsProvider. It is used to select the credentials provider bean when multiple exist. This is unnecessary when there is only one credentials provider available.
For Vault, the credentials provider bean name is vault-credentials-provider.
An optional parameter to specify a provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type.
An optional parameter to select a specific key in the keystore. When SNI is disabled, and the keystore contains multiple keys and no alias is specified; the behavior is undefined.
An optional parameter to define the password for the key, in case it is different from key-store-password If not given, it might be retrieved from CredentialsProvider.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
When set, the configured certificate will be reloaded after the given period. Note that the certificate will be reloaded only if the file has been modified.
Also, the update can also occur when the TLS certificate is configured using paths (and not in-memory).
The reload period must be equal or greater than 30 seconds. If not set, the certificate will not be reloaded.
It’s recommended to use the TLS registry to handle the certificate reloading.
Sets the ordered list of enabled SSL/TLS protocols.
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
Note that setting an empty list, and enabling SSL/TLS is invalid. You must at least have one protocol.
Enables Server Name Indication (SNI), an TLS extension allowing the server to use multiple certificates. The client indicate the server name during the TLS handshake, allowing the server to select the right certificate.
Environment variable: QUARKUS_MANAGEMENT_SSL_SNI
Show more
boolean
false
quarkus.management.tls-configuration-name
The name of the TLS configuration to use.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration is set, and quarkus.tls.* is not configured, then, quarkus.management.ssl will be used.
Set the SETTINGS_HEADER_TABLE_SIZE HTTP/2 setting.
Allows the sender to inform the remote endpoint of the maximum size of the header compression table used to decode header blocks, in octets. The encoder can select any size equal to or less than this value by using signaling specific to the header compression format inside a header block. The initial value is 4,096 octets.
Set SETTINGS_MAX_CONCURRENT_STREAMS HTTP/2 setting.
Indicates the maximum number of concurrent streams that the sender will allow. This limit is directional: it applies to the number of streams that the sender permits the receiver to create. Initially, there is no limit to this value. It is recommended that this value be no smaller than 100, to not unnecessarily limit parallelism.
Set the SETTINGS_MAX_FRAME_SIZE HTTP/2 setting. Indicates the size of the largest frame payload that the sender is willing to receive, in octets. The initial value is 2^14 (16,384) octets.
Set the SETTINGS_MAX_HEADER_LIST_SIZE HTTP/2 setting. This advisory setting informs a peer of the maximum size of header list that the sender is prepared to accept, in octets. The value is based on the uncompressed size of header fields, including the length of the name and value in octets plus an overhead of 32 octets for each header field. The default value is 8192
Set the max number of RST frame allowed per time window, this is used to prevent HTTP/2 RST frame flood DDOS attacks. The default value is 200, setting zero or a negative value, disables flood protection.
Set the duration of the time window when checking the max number of RST frames, this is used to prevent HTTP/2 RST frame flood DDOS attacks.. The default value is 30 s, setting zero or a negative value, disables flood protection.
Whether the files sent using multipart/form-data will be stored locally.
If true, they will be stored in quarkus.http.body-handler.uploads-directory and will be made available via io.vertx.ext.web.RoutingContext.fileUploads(). Otherwise, the files sent using multipart/form-data will not be stored locally, and io.vertx.ext.web.RoutingContext.fileUploads() will always return an empty collection. Note that even with this option being set to false, the multipart/form-data requests will be accepted.
Whether the uploaded files should be removed after serving the request.
If true the uploaded files stored in quarkus.http.body-handler.uploads-directory will be removed after handling the request. Otherwise, the files will be left there forever.
Whether the body buffer should pre-allocated based on the Content-Length header value.
If true the body buffer is pre-allocated according to the size read from the Content-Length header. Otherwise, the body buffer is pre-allocated to 1KB, and is resized dynamically
A comma-separated list of ContentType to indicate whether a given multipart field should be handled as a file part. You can use this setting to force HTTP-based extensions to parse a message part as a file based on its content type. For now, this setting only works when using RESTEasy Reactive.
Set whether the server should use the HA PROXY protocol when serving requests from behind a proxy. (see the PROXY Protocol). When set to true, the remote address returned will be the one from the actual connecting client. If it is set to false (default), the remote address returned will be the one from the proxy.
If this is true then the address, scheme etc. will be set from headers forwarded by the proxy server, such as X-Forwarded-For. This should only be set if you are behind a proxy that sets these headers.
If this is true and proxy address forwarding is enabled then the standard Forwarded header will be used. In case the not standard X-Forwarded-For header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-x-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
If either this or allow-forwarded are true and proxy address forwarding is enabled then the not standard Forwarded header will be used. In case the standard Forwarded header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
Configure the list of trusted proxy addresses. Received Forwarded, X-Forwarded or X-Forwarded-* headers from any other proxy address will be ignored. The trusted proxy address should be specified as the IP address (IPv4 or IPv6), hostname or Classless Inter-Domain Routing (CIDR) notation. Please note that Quarkus needs to perform DNS lookup for all hostnames during the request. For that reason, using hostnames is not recommended.
Examples of a socket address in the form of host or host:port:
127.0.0.1:8084
[0:0:0:0:0:0:0:1]
[0:0:0:0:0:0:0:1]:8084
[::]
localhost
localhost:8084
Examples of a CIDR notation:
::/128
::/0
127.0.0.0/8
Please bear in mind that IPv4 CIDR won’t match request sent from the IPv6 address and the other way around.
The HTTP policy that this permission set is linked to. There are three built-in policies: permit, deny and authenticated. Role based policies can be defined, and extensions can add their own policies.
The methods that this permission set applies to. If this is not set then they apply to all methods. Note that if a request matches any path from any permission set, but does not match the constraint due to the method not being listed then the request will be denied. Method specific permissions take precedence over matches that do not have any methods set. This means that for example if Quarkus is configured to allow GET and POST requests to /admin to and no other permissions are configured PUT requests to /admin will be denied.
The paths that this permission check applies to. If the path ends in /* then this is treated as a path prefix, otherwise it is treated as an exact match. Matches are done on a length basis, so the most specific path match takes precedence. If multiple permission sets match the same path then explicit methods matches take precedence over matches without methods set, otherwise the most restrictive permissions are applied.
Path specific authentication mechanism which must be used to authenticate a user. It needs to match HttpCredentialTransport authentication scheme such as 'basic', 'bearer', 'form', etc.
Indicates that this policy always applies to the matched paths in addition to the policy with a winning path. Avoid creating more than one shared policy to minimize the performance impact.
allApply on all matching paths., jaxrsDeclares that a permission check must only be applied on the Jakarta REST request paths. Use this option to delay the permission check if an authentication mechanism is chosen with an annotation on the matching Jakarta REST endpoint. This option must be set if the following REST endpoint annotations are used\: - io.quarkus.oidc.Tenant annotation which selects an OIDC authentication mechanism with a tenant identifier - io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication which selects the Basic authentication mechanism - io.quarkus.vertx.http.runtime.security.annotation.FormAuthentication which selects the Form-based authentication mechanism - io.quarkus.vertx.http.runtime.security.annotation.MTLSAuthentication which selects the mTLS authentication mechanism - io.quarkus.security.webauthn.WebAuthn which selects the WebAuth authentication mechanism - io.quarkus.oidc.BearerTokenAuthentication which selects the OpenID Connect Bearer token authentication mechanism - io.quarkus.oidc.AuthorizationCodeFlow which selects the OpenID Connect Code authentication mechanism
Add roles granted to the SecurityIdentity based on the roles that the SecurityIdentity already have. For example, the Quarkus OIDC extension can map roles from the verified JWT access token, and you may want to remap them to a deployment specific roles.
Permissions granted to the SecurityIdentity if this policy is applied successfully (the policy allows request to proceed) and the authenticated request has required role. For example, you can map permission perm1 with actions action1 and action2 to role admin by setting quarkus.http.auth.policy.role-policy1.permissions.admin=perm1:action1,perm1:action2 configuration property. Granted permissions are used for authorization with the @PermissionsAllowed annotation.
Permissions granted by this policy will be created with a java.security.Permission implementation specified by this configuration property. The permission class must declare exactly one constructor that accepts permission name (String) or permission name and actions (String, String[]). Permission class must be registered for reflection if you run your application in a native mode.
The number of IO thread. By default, this is the number of locally detected processors.
Thread counts higher than the number of processors should not be necessary because the I/O threads rely on non-blocking operations, but you may want to use a thread count lower than the number of processors.
Defaults to a distribution inferred from the explicitly configured image-name (if any),
or by default to the distribution configured in depending extensions (e.g. Hibernate Search),
or by default to elastic.
Whether the Elasticsearch server managed by Quarkus Dev Services is shared.
When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Elasticsearch starts a new container.
The discovery uses the quarkus-dev-service-elasticsearch label. The value is configured using the service-name property.
The value of the quarkus-dev-service-elasticsearch label attached to the started container.
This property is used when shared is set to true. In this case, before starting a container, Dev Services for Elasticsearch looks for a container with the quarkus-dev-service-elasticsearch label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise it starts a new container with the quarkus-dev-service-elasticsearch label set to the specified value.
This property is used when you need multiple shared Elasticsearch servers.
Whether to keep Dev Service containers running after a dev mode session or test suite execution
to reuse them in the next dev mode session or test suite execution.
Within a dev mode session or test suite execution,
Quarkus will always reuse Dev Services as long as their configuration
(username, password, environment, port bindings, …) did not change.
This feature is specifically about keeping containers running
when Quarkus is not running to reuse them across runs.
This feature needs to be enabled explicitly in testcontainers.properties,
may require changes to how you configure data initialization in dev mode and tests,
and may leave containers running indefinitely, forcing you to stop and remove them manually.
See this section of the documentation for more information.
This configuration property is set to true by default,
so it is mostly useful to disable reuse,
if you enabled it in testcontainers.properties
but only want to use it for some of your Quarkus applications.
The index (1 based numbering) of the column containing the Bcrypt salt. The default value of -1 implies that the salt is stored in the password column using the Modular Crypt Format (MCF) standard.
The index (1 based numbering) of the column containing the Bcrypt iteration count. The default value of -1 implies that the iteration count is stored in the password column using the Modular Crypt Format (MCF) standard.
The index (1 based numbering) of the column containing the Bcrypt salt. The default value of -1 implies that the salt is stored in the password column using the Modular Crypt Format (MCF) standard.
The index (1 based numbering) of the column containing the Bcrypt iteration count. The default value of -1 implies that the iteration count is stored in the password column using the Modular Crypt Format (MCF) standard.
Determine if the OAuth2 extension is enabled. Enabled by default if you include the elytron-security-oauth2 dependency, so this would be used to disable it.
Environment variable: QUARKUS_OAUTH2_ENABLED
Show more
boolean
true
quarkus.oauth2.role-claim
The claim that is used in the introspection endpoint response to load the roles.
Environment variable: QUARKUS_OAUTH2_ROLE_CLAIM
Show more
string
scope
quarkus.oauth2.client-id
The OAuth2 client id used to validate the token. Mandatory if the extension is enabled.
Environment variable: QUARKUS_OAUTH2_CLIENT_ID
Show more
string
quarkus.oauth2.client-secret
The OAuth2 client secret used to validate the token. Mandatory if the extension is enabled.
The OAuth2 server certificate file. Warning: this is not supported in native mode where the certificate must be included in the truststore used during the native image generation, see Using SSL With Native Executables.
Environment variable: QUARKUS_OAUTH2_CA_CERT_FILE
Show more
string
Elytron Security Properties File
Type
Default
quarkus.security.users.embedded.plain-text
If the properties are stored in plain text. If this is false (the default) then it is expected that the passwords are of the form HEX( MD5( username ":" realm ":" password ) )
If the properties are stored in plain text. If this is false (the default) then it is expected that the passwords are of the form HEX( MD5( username ":" realm ":" password ) )
If Flyway is disabled, the Flyway beans won’t be created and Flyway won’t be usable.
Environment variable: QUARKUS_FLYWAY_ENABLED
Show more
boolean
true
quarkus.flyway.locations
Comma-separated list of locations to scan recursively for migrations. The location type is determined by its prefix.
Unprefixed locations or locations starting with classpath: point to a package on the classpath and may contain both SQL and Java-based migrations.
Locations starting with filesystem: point to a directory on the filesystem, may only contain SQL migrations and are only scanned recursively down non-hidden directories.
Environment variable: QUARKUS_FLYWAY_LOCATIONS
Show more
list of string
db/migration
quarkus.flyway.callbacks
Comma-separated list of fully qualified class names of Callback implementations to use to hook into the Flyway lifecycle. The org.flywaydb.core.api.callback.Callback subclass must have a no-args constructor and must not be abstract. These classes must also not have any fields that hold state (unless that state is initialized in the constructor).
Environment variable: QUARKUS_FLYWAY_CALLBACKS
Show more
list of string
quarkus.flyway.active
Flag to activate/deactivate Flyway for a specific datasource at runtime.
Environment variable: QUARKUS_FLYWAY_ACTIVE
Show more
boolean
'true' if the datasource is active; 'false' otherwise
quarkus.flyway.connect-retries
The maximum number of retries when attempting to connect to the database.
After each failed attempt, Flyway will wait up to the configured connect-retries-interval duration before attempting to connect again, up to the maximum number of times specified by connectRetries.
Sets the default schema managed by Flyway. This schema name is case-sensitive. If not specified, but schemas is, Flyway uses the first schema in that list. If that is also not specified, Flyway uses the default schema for the database connection.
Consequences:
This schema will be the one containing the schema history table.
This schema will be the default for the database connection (provided the database supports this concept).
The JDBC URL that Flyway uses to connect to the database. Falls back to the datasource URL if not specified.
Environment variable: QUARKUS_FLYWAY_JDBC_URL
Show more
string
quarkus.flyway.username
The username that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource username if not specified.
Environment variable: QUARKUS_FLYWAY_USERNAME
Show more
string
quarkus.flyway.password
The password that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource password if not specified.
Environment variable: QUARKUS_FLYWAY_PASSWORD
Show more
string
quarkus.flyway.schemas
Comma-separated case-sensitive list of schemas managed by Flyway. The first schema in the list will be automatically set as the default one during the migration. It will also be the one containing the schema history table.
Environment variable: QUARKUS_FLYWAY_SCHEMAS
Show more
list of string
quarkus.flyway.table
The name of Flyway’s schema history table. By default (single-schema mode), the schema history table is placed in the default schema for the connection provided by the datasource. When the flyway.schemas property is set (multi-schema mode), the schema history table is placed in the first schema of the list.
Environment variable: QUARKUS_FLYWAY_TABLE
Show more
string
quarkus.flyway.sql-migration-prefix
The file name prefix for versioned SQL migrations. Versioned SQL migrations have the following file name structure: prefixVERSIONseparatorDESCRIPTIONsuffix , which using the defaults translates to V1.1__My_description.sql
The file name prefix for repeatable SQL migrations. Repeatable SQL migrations have the following file name structure: prefixSeparatorDESCRIPTIONsuffix , which using the defaults translates to R__My_description.sql
true to execute Flyway baseline before migrations This flag is ignored if the flyway_schema_history table exists in the current schema or if the current schema is empty. Note that this will not automatically call migrate, you must either enable baselineAtStart or programmatically call flyway.migrate().
true to execute Flyway baseline automatically when the application starts. This flag is ignored if the flyway_schema_history table exists in the current schema. This will work even if the current schema is empty.
Ignore missing migrations when reading the history table. When set to true migrations from older versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
Ignore future migrations when reading the history table. When set to true migrations from newer versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
The SQL statements to run to initialize a new database connection immediately after opening it.
Environment variable: QUARKUS_FLYWAY_INIT_SQL
Show more
string
quarkus.flyway.validate-migration-naming
Whether to validate migrations and callbacks whose scripts do not obey the correct naming convention. A failure can be useful to check that errors such as case sensitivity in migration prefixes have been corrected.
Ignore migrations during validate and repair according to a given list of patterns (see https://flywaydb.org/documentation/configuration/parameters/ignoreMigrationPatterns for more information). When this configuration is set, the ignoreFutureMigrations and ignoreMissingMigrations settings are ignored. Patterns are comma separated.
Comma-separated list of locations to scan recursively for migrations. The location type is determined by its prefix.
Unprefixed locations or locations starting with classpath: point to a package on the classpath and may contain both SQL and Java-based migrations.
Locations starting with filesystem: point to a directory on the filesystem, may only contain SQL migrations and are only scanned recursively down non-hidden directories.
Comma-separated list of fully qualified class names of Callback implementations to use to hook into the Flyway lifecycle. The org.flywaydb.core.api.callback.Callback subclass must have a no-args constructor and must not be abstract. These classes must also not have any fields that hold state (unless that state is initialized in the constructor).
'true' if the datasource is active; 'false' otherwise
quarkus.flyway."datasource-name".connect-retries
The maximum number of retries when attempting to connect to the database.
After each failed attempt, Flyway will wait up to the configured connect-retries-interval duration before attempting to connect again, up to the maximum number of times specified by connectRetries.
Sets the default schema managed by Flyway. This schema name is case-sensitive. If not specified, but schemas is, Flyway uses the first schema in that list. If that is also not specified, Flyway uses the default schema for the database connection.
Consequences:
This schema will be the one containing the schema history table.
This schema will be the default for the database connection (provided the database supports this concept).
The username that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource username if not specified.
The password that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource password if not specified.
Comma-separated case-sensitive list of schemas managed by Flyway. The first schema in the list will be automatically set as the default one during the migration. It will also be the one containing the schema history table.
The name of Flyway’s schema history table. By default (single-schema mode), the schema history table is placed in the default schema for the connection provided by the datasource. When the flyway.schemas property is set (multi-schema mode), the schema history table is placed in the first schema of the list.
The file name prefix for versioned SQL migrations. Versioned SQL migrations have the following file name structure: prefixVERSIONseparatorDESCRIPTIONsuffix , which using the defaults translates to V1.1__My_description.sql
The file name prefix for repeatable SQL migrations. Repeatable SQL migrations have the following file name structure: prefixSeparatorDESCRIPTIONsuffix , which using the defaults translates to R__My_description.sql
true to execute Flyway baseline before migrations This flag is ignored if the flyway_schema_history table exists in the current schema or if the current schema is empty. Note that this will not automatically call migrate, you must either enable baselineAtStart or programmatically call flyway.migrate().
true to execute Flyway baseline automatically when the application starts. This flag is ignored if the flyway_schema_history table exists in the current schema. This will work even if the current schema is empty.
Ignore missing migrations when reading the history table. When set to true migrations from older versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
Ignore future migrations when reading the history table. When set to true migrations from newer versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
Whether to validate migrations and callbacks whose scripts do not obey the correct naming convention. A failure can be useful to check that errors such as case sensitivity in migration prefixes have been corrected.
Ignore migrations during validate and repair according to a given list of patterns (see https://flywaydb.org/documentation/configuration/parameters/ignoreMigrationPatterns for more information). When this configuration is set, the ignoreFutureMigrations and ignoreMissingMigrations settings are ignored. Patterns are comma separated.
Cloud Event type (ce-type) that triggers this function. Default value is function name. This config item is only required when there is more than one function defined within the deployment. The ce-type is not looked at if there is only one function in the deployment. The message will just be dispatched to that function. This allows you to change the knative trigger binding without having to change the configuration of the quarkus deployment.
The function to export. If there is more than one function defined for this deployment, then you must set this variable. If there is only a single function, you do not have to set this config item.
Environment variable: QUARKUS_FUNQY_EXPORT
Show more
string
Google Cloud Functions
Type
Default
quarkus.google-cloud-functions.function
The function name. Function names are specified on function classes using the @jakarta.inject.Named annotation. If this name is unspecified and there is exactly one unnamed function then this unnamed function will be used. If there is only a single named function and the name is unspecified then the named function will be used. These rules apply for each function implementation (HttpFunction, BackgroundFunction, RawBackgroundFunction).
gRPC code generation can scan dependencies of the application for proto files to generate Java stubs from. This property sets the scope of the dependencies to scan. Applicable values:
none - default - don’t scan dependencies
a comma separated list of groupId:artifactId coordinates to scan
Start gRPC server in dev mode even if no gRPC services are implemented. By default set to true to ease incremental development of new services using dev mode.
An optional trust store which holds the certificate information of the certificates to trust The trust store can be either on classpath or in an external file.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration is set, and quarkus.tls.* is not configured, then, quarkus.grpc.clients.$client-name.tls will be used.
Important: This is only supported when using the Quarkus (Vert.x-based) gRPC client.
Do we use separate HTTP server to serve gRPC requests. Set this to false if you want to use new Vert.x gRPC support, which uses existing Vert.x HTTP server.
The classpath path or file path to the corresponding certificate private key file in PEM format.
Environment variable: QUARKUS_GRPC_SERVER_SSL_KEY
Show more
path
quarkus.grpc.server.ssl.key-store
An optional keystore that holds the certificate information instead of specifying separate files. The keystore can be either on classpath or an external file.
Sets the ordered list of enabled SSL/TLS protocols.
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
Note that setting an empty list, and enabling SSL/TLS is invalid. You must at least have one protocol.
Enables the gRPC Reflection Service. By default, the reflection service is only exposed in dev mode. This setting allows overriding this choice and enable the reflection service every time.
Number of gRPC server verticle instances. This is useful for scaling easily across multiple cores. The number should not exceed the amount of event loops.
Sets a custom permit-keep-alive duration. This configures the most aggressive keep-alive time clients are permitted to configure. The server will try to detect clients exceeding this rate and when detected will forcefully close the connection.
If set to true, and a Stork load balancer is used, connections with all available service instances will be requested proactively. This means better load balancing at the cost of having multiple active connections.
Whether Hibernate Envers is enabled <strong>during the build</strong>.
If Hibernate Envers is disabled during the build, all processing related to Hibernate Envers will be skipped,
and the audit entities will not be added to the Hibernate ORM metamodel
nor to the database schema that Hibernate ORM generates,
but it will not be possible to use Hibernate Envers at runtime:
quarkus.hibernate-envers.active will default to false and setting it to true will lead to an error.
Whether Hibernate Envers should be active for this persistence unit at runtime.
If Hibernate Envers is not active, the audit entities will still be added to the Hibernate ORM metamodel
and to the database schema that Hibernate ORM generates:
you would need to disable Hibernate Envers at build time (i.e. set quarkus.hibernate-envers.enabled to false)
in order to avoid that.
However, when Hibernate Envers is not active, it will not process entity change events
nor create new versions of entities.
and accessing the AuditReader through AuditReaderFactory will not be possible.
Note that if Hibernate Envers is disabled (i.e. quarkus.hibernate-envers.enabled is set to false),
it won’t be active for any persistence unit, and setting this property to true will fail.
Enable the do_not_audit_optimistic_locking_field feature. Maps to org.hibernate.envers.configuration.EnversSettings#DO_NOT_AUDIT_OPTIMISTIC_LOCKING_FIELD.
Defines the suffix to be used for modified flag columns. Defaults to _MOD. Maps to org.hibernate.envers.configuration.EnversSettings#MODIFIED_FLAG_SUFFIX
Defines the fully qualified class name of a user defined revision listener. Maps to org.hibernate.envers.configuration.EnversSettings#REVISION_LISTENER.
Defines the property name for the audit entity’s composite primary key. Defaults to originalId. Maps to org.hibernate.envers.configuration.EnversSettings#ORIGINAL_ID_PROP_NAME.
Defines the column name that holds the end revision number in audit entities. Defaults to REVEND. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_END_REV_FIELD_NAME.
Enables the audit_strategy_validity_store_revend_timestamp feature. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_STORE_REVEND_TIMESTAMP.
Defines the column name of the revision end timestamp in the audit tables. Defaults to REVEND_TSTMP. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_REVEND_TIMESTAMP_FIELD_NAME.
Defines the name of the column used for storing collection ordinal values for embeddable elements. Defaults to SETORDINAL. Maps to org.hibernate.envers.configuration.EnversSettings#EMBEDDABLE_SET_ORDINAL_FIELD_NAME.
Defines the naming strategy to be used for modified columns. Defaults to org.hibernate.envers.boot.internal.LegacyModifiedColumnNamingStrategy. Maps to org.hibernate.envers.configuration.EnversSettings#MODIFIED_COLUMN_NAMING_STRATEGY.
Whether Hibernate ORM is enabled during the build.
If Hibernate ORM is disabled during the build, all processing related to Hibernate ORM will be skipped,
but it will not be possible to activate Hibernate ORM at runtime:
quarkus.hibernate-orm.active will default to false and setting it to true will lead to an error.
Whether session metrics should be appended into the server log for each Hibernate session. This only has effect if statistics are enabled (quarkus.hibernate-orm.statistics). The default is false (which means both statistics and log-session-metrics need to be enabled for the session metrics to appear in the log).
Paths to files containing the SQL statements to execute when Hibernate ORM starts.
The files are retrieved from the classpath resources,
so they must be located in the resources directory (e.g. src/main/resources).
The default value for this setting differs depending on the Quarkus launch mode:
In dev and test modes, it defaults to import.sql.
Simply add an import.sql file in the root of your resources directory
and it will be picked up without having to set this property.
Pass no-file to force Hibernate ORM to ignore the SQL import file.
In production mode, it defaults to no-file.
It means Hibernate ORM won’t try to execute any SQL import file by default.
Pass an explicit value to force Hibernate ORM to execute the SQL import file.
If you need different SQL statements between dev mode, test (@QuarkusTest) and in production, use Quarkus
configuration profiles facility.
Pluggable strategy contract for applying physical naming rules for database object names. Class name of the Hibernate PhysicalNamingStrategy implementation
Pluggable strategy for applying implicit naming rules when an explicit name is not given. Class name of the Hibernate ImplicitNamingStrategy implementation
Not all customization options exposed by
org.hibernate.boot.MetadataBuilder
will work correctly. Stay clear of options related to classpath scanning in particular.
This setting is exposed mainly to allow registration of types, converters and SQL functions.
Identifiers can be quoted using one of the available strategies.
Set to none by default, meaning no identifiers will be quoted. If set to all, all identifiers and column definitions will be quoted. Additionally, setting it to all-except-column-definitions will skip the column definitions, which can usually be required when they exist, or else use the option only-keywords to quote only identifiers deemed SQL keywords by the Hibernate ORM dialect.
Defines the method for multi-tenancy (DATABASE, NONE, SCHEMA). The complete list of allowed values is available in the
Hibernate ORM
JavaDoc.
The type DISCRIMINATOR is currently not supported. The default value is NONE (no multi-tenancy).
If hibernate is not auto generating the schema, and Quarkus is running in development mode then Quarkus will attempt to validate the database after startup and print a log message if there are any problems.
If the persistence unit is not active, it won’t start with the application,
and accessing the corresponding EntityManagerFactory/EntityManager or SessionFactory/Session
will not be possible.
Note that if Hibernate ORM is disabled (i.e. quarkus.hibernate-orm.enabled is set to false),
all persistence units are deactivated, and setting this property to true will fail.
Properties that should be passed on directly to Hibernate ORM.
Use the full configuration property key here,
for instance quarkus.hibernate-orm.unsupported-properties."hibernate.order_inserts" = true.
Properties set here are completely unsupported:
as Quarkus doesn’t generally know about these properties and their purpose,
there is absolutely no guarantee that they will work correctly,
and even if they do, that may change when upgrading to a newer version of Quarkus
(even just a micro/patch version).
Consider using a supported configuration property before falling back to unsupported ones.
If none exists, make sure to file a feature request so that a supported configuration property can be added to Quarkus,
and more importantly so that the configuration property is tested regularly.
When set, attempts to exchange data with the database
as the given version of Hibernate ORM would have,
on a best-effort basis.
Please note:
schema validation may still fail in some cases:
this attempts to make Hibernate ORM 6+ behave correctly at runtime,
but it may still expect a different (but runtime-compatible) schema.
robust test suites are still useful and recommended:
you should still check that your application behaves as intended with your legacy schema.
this feature is inherently unstable:
some aspects of it may stop working in future versions of Quarkus,
and older versions will be dropped as Hibernate ORM changes pile up
and support for those older versions becomes too unreliable.
Select whether the database schema is generated or not. drop-and-create is awesome in development mode. This defaults to 'none', however if Dev Services is in use and no other extensions that manage the schema are present this will default to 'drop-and-create'. Accepted values: none, create, drop-and-create, drop, update, validate.
For supported databases,
this property does not need to be set explicitly:
it is selected automatically based on the datasource,
and configured using the DB version set on the
datasource
to benefit from the best performance and latest features.
If your database does not have a corresponding Quarkus extension,
you will need to set this property explicitly.
In that case, keep in mind that the JDBC driver and Hibernate ORM dialect
may not work properly in GraalVM native executables.
For built-in dialects, the expected value is one of the names
in the official list of dialects,
without the Dialect suffix,
for example Cockroach for CockroachDialect.
For third-party dialects, the expected value is the fully-qualified class name,
for example com.acme.hibernate.AcmeDbDialect.
Equivalent to native if supported, normalize-utc otherwise.
auto
Equivalent to native if supported, column otherwise.
native
Stores the timestamp and timezone in a column of type timestamp with time zone.
Only available on some databases/dialects;
if not supported, an exception will be thrown during static initialization.
column
Stores the timezone in a separate column next to the timestamp column.
Use @TimeZoneColumn on the relevant entity property to customize the timezone column.
normalize-utc
Does not store the timezone, and loses timezone information upon persisting.
Instead, normalizes the value to a timestamp in the UTC timezone.
normalize
Does not store the timezone, and loses timezone information upon persisting.
Instead, normalizes the value:
* upon persisting to the database, to a timestamp in the JDBC timezone
set through quarkus.hibernate-orm.jdbc.timezone,
or the JVM default timezone if not set.
* upon reading back from the database, to the JVM default timezone.
+
Use this to get the legacy behavior of Quarkus 2 / Hibernate ORM 5 or older.
The optimizer to apply to identifier generators
whose optimizer is not configured explicitly.
Only relevant for table- and sequence-based identifier generators.
Other generators, such as UUID-based generators, will ignore this setting.
The optimizer is responsible for pooling new identifier values,
in order to reduce the frequency of database calls to retrieve those values
and thereby improve performance.
pooled-loAssumes the value retrieved from the table/sequence is the lower end of the pool. Upon retrieving value N, the new pool of identifiers will go from N to N + <allocation size> - 1, inclusive., pooledAssumes the value retrieved from the table/sequence is the higher end of the pool. Upon retrieving value N, the new pool of identifiers will go from N - <allocation size> to N + <allocation size> - 1, inclusive. The first value, 1, is handled differently to avoid negative identifiers. Use this to get the legacy behavior of Quarkus 2 / Hibernate ORM 5 or older., noneNo optimizer, resulting in a database call each and every time an identifier value is needed from the generator. Not recommended in production environments\: may result in degraded performance and/or frequent gaps in identifier values.
pooled-loAssumes the value retrieved from the table/sequence is the lower end of the pool. Upon retrieving value N, the new pool of identifiers will go from N to N + <allocation size> - 1, inclusive.
Existing applications rely (implicitly or explicitly) on Hibernate ignoring any DiscriminatorColumn declarations on joined inheritance hierarchies. This setting allows these applications to maintain the legacy behavior of DiscriminatorColumn annotations being ignored when paired with joined inheritance.
Whether Hibernate Search is enabled during the build.
If Hibernate Search is disabled during the build, all processing related to Hibernate Search will be skipped,
but it will not be possible to activate Hibernate Search at runtime:
quarkus.hibernate-search-orm.active will default to false and setting it to true will lead to an error.
Instead of setting this configuration property,
you can simply annotate your custom FailureHandler implementation with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
One or more bean references
to the component(s) used to configure the Hibernate Search mapping,
in particular programmatically.
The referenced beans must implement HibernateOrmSearchMappingConfigurer.
See Programmatic mapping for an example
on how mapping configurers can be used to apply programmatic mappings.
Instead of setting this configuration property,
you can simply annotate your custom HibernateOrmSearchMappingConfigurer implementations with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
Whether Hibernate Search should be active for this persistence unit at runtime.
If Hibernate Search is not active, it won’t index Hibernate ORM entities,
and accessing the SearchMapping/SearchSession of the relevant persistence unit
for search or other operation will not be possible.
Note that if Hibernate Search is disabled (i.e. quarkus.hibernate-search-orm.enabled is set to false),
it won’t be active for any persistence unit, and setting this property to true will fail.
The schema management strategy, controlling how indexes and their schema
are created, updated, validated or dropped on startup and shutdown.
Available values:
Strategy
Definition
none
Do nothing: assume that indexes already exist and that their schema matches Hibernate Search’s expectations.
validate
Validate that indexes exist and that their schema matches Hibernate Search’s expectations.
If it does not, throw an exception, but make no attempt to fix the problem.
create
For indexes that do not exist, create them along with their schema.
For indexes that already exist, do nothing: assume that their schema matches Hibernate Search’s expectations.
create-or-validate (default unless using Dev Services)
For indexes that do not exist, create them along with their schema.
For indexes that already exist, validate that their schema matches Hibernate Search’s expectations.
If it does not, throw an exception, but make no attempt to fix the problem.
create-or-update
For indexes that do not exist, create them along with their schema.
For indexes that already exist, validate that their schema matches Hibernate Search’s expectations;
if it does not match expectations, try to update it.
This strategy is unfit for production environments,
due to several important limitations,
but can be useful when developing.
drop-and-create
For indexes that do not exist, create them along with their schema.
For indexes that already exist, drop them, then create them along with their schema.
drop-and-create-and-drop (default when using Dev Services)
For indexes that do not exist, create them along with their schema.
For indexes that already exist, drop them, then create them along with their schema.
How to synchronize between application threads and indexing,
in particular when relying on (implicit) listener-triggered indexing on entity change,
but also when using a SearchIndexingPlan explicitly.
Defines how complete indexing should be before resuming the application thread
after a database transaction is committed.
Indexing synchronization is only relevant when coordination is disabled (which is the default).
With the outbox-polling coordination strategy,
indexing happens in background threads and is always asynchronous;
the behavior is equivalent to the write-sync synchronization strategy.
Available values:
Strategy
Throughput
Guarantees when the application thread resumes
Changes applied
Changes safe from crash/power loss
Changes visible on search
async
Best
write-sync (default)
Medium
read-sync
Medium to worst
sync
Worst
This property also accepts a bean reference
to a custom implementations of IndexingPlanSynchronizationStrategy.
Instead of setting this configuration property,
you can simply annotate your custom IndexingPlanSynchronizationStrategy implementation with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
As the schema is generated without a connection to the server, this item is mandatory.
It doesn’t have to be the exact version (it can be 7 or 7.1 for instance) but it has to be sufficiently precise
to choose a model dialect (the one used to generate the schema) compatible with the protocol dialect (the one used
to communicate with Elasticsearch).
There’s no rule of thumb here as it depends on the schema incompatibilities introduced by Elasticsearch versions. In
any case, if there is a problem, you will have an error when Hibernate Search tries to connect to the cluster.
A bean reference to the component
used to configure the Elasticsearch layout: index names, index aliases, …
The referenced bean must implement IndexLayoutStrategy.
Available built-in implementations:
simple
The default, future-proof strategy: if the index name in Hibernate Search is myIndex,
this strategy will create an index named myindex-000001, an alias for write operations named myindex-write,
and an alias for read operations named myindex-read.
no-alias
A strategy without index aliases, mostly useful on legacy clusters:
if the index name in Hibernate Search is myIndex,
this strategy will create an index named myindex, and will not use any alias.
Instead of setting this configuration property,
you can simply annotate your custom IndexLayoutStrategy implementation with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
Path to a file in the classpath holding custom index settings to be included in the index definition
when creating an Elasticsearch index.
The provided settings will be merged with those generated by Hibernate Search, including analyzer definitions.
When analysis is configured both through an analysis configurer and these custom settings, the behavior is undefined;
it should not be relied upon.
Path to a file in the classpath holding a custom index mapping to be included in the index definition
when creating an Elasticsearch index.
The file does not need to (and generally shouldn’t) contain the full mapping:
Hibernate Search will automatically inject missing properties (index fields) in the given mapping.
Instead of setting this configuration property,
you can simply annotate your custom ElasticsearchAnalysisConfigurer implementations with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
The size of the thread pool assigned to the backend.
Note that number is per backend, not per index.
Adding more indexes will not add more threads.
As all operations happening in this thread-pool are non-blocking,
raising its size above the number of processor cores available to the JVM will not bring noticeable performance
benefit.
The only reason to alter this setting would be to reduce the number of threads;
for example, in an application with a single index with a single indexing queue,
running on a machine with 64 processor cores,
you might want to bring down the number of threads.
Defaults to the number of processor cores available to the JVM on startup.
The number of indexing queues assigned to each index.
Higher values will lead to more connections being used in parallel,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Lower values may lead to lower memory usage, especially if there are many queues,
but values that are too low will reduce the likeliness of reaching the max bulk size
and increase the likeliness of application threads blocking because the queue is full,
which may lead to lower indexing throughput.
The maximum size of bulk requests created when processing indexing queues.
Higher values will lead to more documents being sent in each HTTP request sent to Elasticsearch,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Note that raising this number above the queue size has no effect,
as bulks cannot include more requests than are contained in the queue.
Path to a file in the classpath holding custom index settings to be included in the index definition
when creating an Elasticsearch index.
The provided settings will be merged with those generated by Hibernate Search, including analyzer definitions.
When analysis is configured both through an analysis configurer and these custom settings, the behavior is undefined;
it should not be relied upon.
Path to a file in the classpath holding a custom index mapping to be included in the index definition
when creating an Elasticsearch index.
The file does not need to (and generally shouldn’t) contain the full mapping:
Hibernate Search will automatically inject missing properties (index fields) in the given mapping.
Instead of setting this configuration property,
you can simply annotate your custom ElasticsearchAnalysisConfigurer implementations with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
The number of indexing queues assigned to each index.
Higher values will lead to more connections being used in parallel,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Lower values may lead to lower memory usage, especially if there are many queues,
but values that are too low will reduce the likeliness of reaching the max bulk size
and increase the likeliness of application threads blocking because the queue is full,
which may lead to lower indexing throughput.
The maximum size of bulk requests created when processing indexing queues.
Higher values will lead to more documents being sent in each HTTP request sent to Elasticsearch,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Note that raising this number above the queue size has no effect,
as bulks cannot include more requests than are contained in the queue.
If management interface is turned on the reindexing endpoints will be published under the management interface.
This property allows to enable this functionality by setting it to `true.
Whether the event processor is enabled,
i.e. whether events will be processed to perform automatic reindexing on this instance of the application.
This can be set to false to disable event processing on some application nodes,
for example to dedicate some nodes to HTTP request processing and other nodes to event processing.
The total number of shards that will form a partition of the entity change events to process.
By default, sharding is dynamic and setting this property is not necessary.
If you want to control explicitly the number and assignment of shards,
you must configure static sharding and then setting this property as well as the assigned shards (see shards.assigned)
is necessary.
Among shards that will form a partition of the entity change events,
the shards that will be processed by this application instance.
By default, sharding is dynamic and setting this property is not necessary.
If you want to control explicitly the number and assignment of shards,
you must configure static sharding and then setting this property as well as the total shard count
is necessary.
Shards are referred to by an index in the range [0, total_count - 1] (see shards.total-count).
A given application node must be assigned at least one shard but may be assigned multiple shards
by setting shards.assigned to a comma-separated list, e.g. 0,3.
How long to wait for another query to the outbox events table after a query didn’t return any event.
Lower values will reduce the time it takes for a change to be reflected in the index,
but will increase the stress on the database when there are no new events.
How long the event processor can poll for events before it must perform a "pulse",
updating and checking registrations in the agents table.
The pulse interval must be set to a value between the polling interval
and one third (1/3) of the expiration interval.
Low values (closer to the polling interval) mean less time wasted not processing events
when a node joins or leaves the cluster,
and reduced risk of wasting time not processing events
because an event processor is incorrectly considered disconnected,
but more stress on the database because of more frequent checks of the list of agents.
High values (closer to the expiration interval) mean more time wasted not processing events
when a node joins or leaves the cluster,
and increased risk of wasting time not processing events
because an event processor is incorrectly considered disconnected,
but less stress on the database because of less frequent checks of the list of agents.
How long an event processor "pulse" remains valid before considering the processor disconnected
and forcibly removing it from the cluster.
The expiration interval must be set to a value at least 3 times larger than the pulse interval.
Low values (closer to the pulse interval) mean less time wasted not processing events
when a node abruptly leaves the cluster due to a crash or network failure,
but increased risk of wasting time not processing events
because an event processor is incorrectly considered disconnected.
High values (much larger than the pulse interval) mean more time wasted not processing events
when a node abruptly leaves the cluster due to a crash or network failure,
but reduced risk of wasting time not processing events
because an event processor is incorrectly considered disconnected.
How many outbox events, at most, are processed in a single transaction.
Higher values will reduce the number of transactions opened by the background process
and may increase performance thanks to the first-level cache (persistence context),
but will increase memory usage and in extreme cases may lead to OutOfMemoryErrors.
The timeout for transactions processing outbox events.
When this property is not set,
Hibernate Search will use whatever default transaction timeout is configured in the JTA transaction manager,
which may be too low for batch processing and lead to transaction timeouts when processing batches of events.
If this happens, set a higher transaction timeout for event processing using this property.
How long to wait for another query to the agent table
when actively waiting for event processors to suspend themselves.
Low values will reduce the time it takes for the mass indexer agent to detect
that event processors finally suspended themselves,
but will increase the stress on the database while the mass indexer agent is actively waiting.
High values will increase the time it takes for the mass indexer agent to detect
that event processors finally suspended themselves,
but will reduce the stress on the database while the mass indexer agent is actively waiting.
How long the mass indexer can wait before it must perform a "pulse",
updating and checking registrations in the agent table.
The pulse interval must be set to a value between the polling interval
and one third (1/3) of the expiration interval.
Low values (closer to the polling interval) mean reduced risk of
event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected,
but more stress on the database because of more frequent updates of the mass indexer agent’s entry in the agent table.
High values (closer to the expiration interval) mean increased risk of
event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected,
but less stress on the database because of less frequent updates of the mass indexer agent’s entry in the agent table.
How long an event processor "pulse" remains valid before considering the processor disconnected
and forcibly removing it from the cluster.
The expiration interval must be set to a value at least 3 times larger than the pulse interval.
Low values (closer to the pulse interval) mean less time wasted with event processors not processing events
when a mass indexer agent terminates due to a crash,
but increased risk of event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected.
High values (much larger than the pulse interval) mean more time wasted with event processors not processing events
when a mass indexer agent terminates due to a crash,
but reduced risk of event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected.
Whether the event processor is enabled,
i.e. whether events will be processed to perform automatic reindexing on this instance of the application.
This can be set to false to disable event processing on some application nodes,
for example to dedicate some nodes to HTTP request processing and other nodes to event processing.
The total number of shards that will form a partition of the entity change events to process.
By default, sharding is dynamic and setting this property is not necessary.
If you want to control explicitly the number and assignment of shards,
you must configure static sharding and then setting this property as well as the assigned shards (see shards.assigned)
is necessary.
Among shards that will form a partition of the entity change events,
the shards that will be processed by this application instance.
By default, sharding is dynamic and setting this property is not necessary.
If you want to control explicitly the number and assignment of shards,
you must configure static sharding and then setting this property as well as the total shard count
is necessary.
Shards are referred to by an index in the range [0, total_count - 1] (see shards.total-count).
A given application node must be assigned at least one shard but may be assigned multiple shards
by setting shards.assigned to a comma-separated list, e.g. 0,3.
How long to wait for another query to the outbox events table after a query didn’t return any event.
Lower values will reduce the time it takes for a change to be reflected in the index,
but will increase the stress on the database when there are no new events.
How long the event processor can poll for events before it must perform a "pulse",
updating and checking registrations in the agents table.
The pulse interval must be set to a value between the polling interval
and one third (1/3) of the expiration interval.
Low values (closer to the polling interval) mean less time wasted not processing events
when a node joins or leaves the cluster,
and reduced risk of wasting time not processing events
because an event processor is incorrectly considered disconnected,
but more stress on the database because of more frequent checks of the list of agents.
High values (closer to the expiration interval) mean more time wasted not processing events
when a node joins or leaves the cluster,
and increased risk of wasting time not processing events
because an event processor is incorrectly considered disconnected,
but less stress on the database because of less frequent checks of the list of agents.
How long an event processor "pulse" remains valid before considering the processor disconnected
and forcibly removing it from the cluster.
The expiration interval must be set to a value at least 3 times larger than the pulse interval.
Low values (closer to the pulse interval) mean less time wasted not processing events
when a node abruptly leaves the cluster due to a crash or network failure,
but increased risk of wasting time not processing events
because an event processor is incorrectly considered disconnected.
High values (much larger than the pulse interval) mean more time wasted not processing events
when a node abruptly leaves the cluster due to a crash or network failure,
but reduced risk of wasting time not processing events
because an event processor is incorrectly considered disconnected.
How many outbox events, at most, are processed in a single transaction.
Higher values will reduce the number of transactions opened by the background process
and may increase performance thanks to the first-level cache (persistence context),
but will increase memory usage and in extreme cases may lead to OutOfMemoryErrors.
The timeout for transactions processing outbox events.
When this property is not set,
Hibernate Search will use whatever default transaction timeout is configured in the JTA transaction manager,
which may be too low for batch processing and lead to transaction timeouts when processing batches of events.
If this happens, set a higher transaction timeout for event processing using this property.
How long to wait for another query to the agent table
when actively waiting for event processors to suspend themselves.
Low values will reduce the time it takes for the mass indexer agent to detect
that event processors finally suspended themselves,
but will increase the stress on the database while the mass indexer agent is actively waiting.
High values will increase the time it takes for the mass indexer agent to detect
that event processors finally suspended themselves,
but will reduce the stress on the database while the mass indexer agent is actively waiting.
How long the mass indexer can wait before it must perform a "pulse",
updating and checking registrations in the agent table.
The pulse interval must be set to a value between the polling interval
and one third (1/3) of the expiration interval.
Low values (closer to the polling interval) mean reduced risk of
event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected,
but more stress on the database because of more frequent updates of the mass indexer agent’s entry in the agent table.
High values (closer to the expiration interval) mean increased risk of
event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected,
but less stress on the database because of less frequent updates of the mass indexer agent’s entry in the agent table.
How long an event processor "pulse" remains valid before considering the processor disconnected
and forcibly removing it from the cluster.
The expiration interval must be set to a value at least 3 times larger than the pulse interval.
Low values (closer to the pulse interval) mean less time wasted with event processors not processing events
when a mass indexer agent terminates due to a crash,
but increased risk of event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected.
High values (much larger than the pulse interval) mean more time wasted with event processors not processing events
when a mass indexer agent terminates due to a crash,
but reduced risk of event processors starting to process events again during mass indexing
because a mass indexer agent is incorrectly considered disconnected.
Whether Hibernate Search Standalone is enabled during the build.
If Hibernate Search is disabled during the build, all processing related to Hibernate Search will be skipped,
but it will not be possible to activate Hibernate Search at runtime:
quarkus.hibernate-search-standalone.active will default to false and setting it to true will lead to an error.
Instead of setting this configuration property,
you can simply annotate your custom FailureHandler implementation with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
One or more bean references
to the component(s) used to configure the Hibernate Search mapping,
in particular programmatically.
The referenced beans must implement StandalonePojoMappingConfigurer.
See Programmatic mapping for an example
on how mapping configurers can be used to apply programmatic mappings.
Instead of setting this configuration property,
you can simply annotate your custom StandalonePojoMappingConfigurer implementations with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
The structure of the Hibernate Search entity mapping.
This must match the structure of the application model being indexed with Hibernate Search:
graph (default)
Entities indexed through Hibernate Search are nodes in an entity graph,
i.e. an indexed entity is independent of other entities it references through associations,
which can be updated independently of the indexed entity.
Associations between entities must be bi-directional:
specifying the inverse side of associations through @AssociationInverseSideis required,
unless reindexing is disabled for that association through @IndexingDependency(reindexOnUpdate = …).
document
Entities indexed through Hibernate Search are the root of a document,
i.e. an indexed entity "owns" other entities it references through associations,
which cannot be updated independently of the indexed entity.
Associations between entities can be uni-directional:
specifying the inverse side of associations through @AssociationInverseSideis not required.
graphEntities indexed through Hibernate Search are nodes in an entity graph. With this structure\: * An indexed entity is independent of other entities it references through associations, which can be updated independently of the indexed entity; in particular they may be passed to {@link org.hibernate.search.mapper.pojo.standalone.work.SearchIndexingPlan#addOrUpdate(Object)}. * Therefore, when an entity changes, Hibernate Search may need to resolve other entities to reindex, which means in particular that associations between entities must be bi-directional\: specifying the inverse side of associations through @AssociationInverseSideis required, unless reindexing is disabled for that association through @IndexingDependency(reindexOnUpdate = …). See also link\:https://docs.jboss.org/hibernate/search/7.2/reference/en-US/html_single/#mapping-reindexing-associationinverseside\]@AssociationInverseSide] link\:https://docs.jboss.org/hibernate/search/7.2/reference/en-US/html_single/#mapping-reindexing-reindexonupdate\]@IndexingDependency(reindexOnUpdate = …)]., documentEntities indexed through Hibernate Search are the root of a document. With this structure\: * An indexed entity "owns" other entities it references through associations, which cannot be updated independently of the indexed entity; in particular they cannot be passed to {@link org.hibernate.search.mapper.pojo.standalone.work.SearchIndexingPlan#addOrUpdate(Object)}. * Therefore, when an entity changes, Hibernate Search doesn’t need to resolve other entities to reindex, which means in particular that associations between entities can be uni-directional\: specifying the inverse side of associations through @AssociationInverseSideis not required. See also link\:https://docs.jboss.org/hibernate/search/7.2/reference/en-US/html_single/#mapping-reindexing-associationinverseside\]@AssociationInverseSide].
graphEntities indexed through Hibernate Search are nodes in an entity graph. With this structure\: * An indexed entity is independent of other entities it references through associations, which can be updated independently of the indexed entity; in particular they may be passed to {@link org.hibernate.search.mapper.pojo.standalone.work.SearchIndexingPlan#addOrUpdate(Object)}. * Therefore, when an entity changes, Hibernate Search may need to resolve other entities to reindex, which means in particular that associations between entities must be bi-directional\: specifying the inverse side of associations through @AssociationInverseSideis required, unless reindexing is disabled for that association through @IndexingDependency(reindexOnUpdate = …). See also link\:https://docs.jboss.org/hibernate/search/7.2/reference/en-US/html_single/#mapping-reindexing-associationinverseside\]@AssociationInverseSide] link\:https://docs.jboss.org/hibernate/search/7.2/reference/en-US/html_single/#mapping-reindexing-reindexonupdate\]@IndexingDependency(reindexOnUpdate = …)].
quarkus.hibernate-search-standalone.active
Whether Hibernate Search Standalone should be active at runtime.
If Hibernate Search Standalone is not active, it won’t start with the application,
and accessing the SearchMapping for search or other operations will not be possible.
Note that if Hibernate Search Standalone is disabled
(i.e. quarkus.hibernate-search-standalone.enabled is set to false),
it won’t be active, and setting this property to true will fail.
The schema management strategy, controlling how indexes and their schema
are created, updated, validated or dropped on startup and shutdown.
Available values:
Strategy
Definition
none
Do nothing: assume that indexes already exist and that their schema matches Hibernate Search’s expectations.
validate
Validate that indexes exist and that their schema matches Hibernate Search’s expectations.
If it does not, throw an exception, but make no attempt to fix the problem.
create
For indexes that do not exist, create them along with their schema.
For indexes that already exist, do nothing: assume that their schema matches Hibernate Search’s expectations.
create-or-validate (default unless using Dev Services)
For indexes that do not exist, create them along with their schema.
For indexes that already exist, validate that their schema matches Hibernate Search’s expectations.
If it does not, throw an exception, but make no attempt to fix the problem.
create-or-update
For indexes that do not exist, create them along with their schema.
For indexes that already exist, validate that their schema matches Hibernate Search’s expectations;
if it does not match expectations, try to update it.
This strategy is unfit for production environments,
due to several important limitations,
but can be useful when developing.
drop-and-create
For indexes that do not exist, create them along with their schema.
For indexes that already exist, drop them, then create them along with their schema.
drop-and-create-and-drop (default when using Dev Services)
For indexes that do not exist, create them along with their schema.
For indexes that already exist, drop them, then create them along with their schema.
How to synchronize between application threads and indexing,
in particular when relying on (implicit) listener-triggered indexing on entity change,
but also when using a SearchIndexingPlan explicitly.
Defines how complete indexing should be before resuming the application thread
after a SearchSession is closed.
Available values:
Strategy
Throughput
Guarantees when the application thread resumes
Changes applied
Changes safe from crash/power loss
Changes visible on search
async
Best
write-sync (default)
Medium
read-sync
Medium to worst
sync
Worst
This property also accepts a bean reference
to a custom implementations of IndexingPlanSynchronizationStrategy.
Instead of setting this configuration property,
you can simply annotate your custom IndexingPlanSynchronizationStrategy implementation with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
As the schema is generated without a connection to the server, this item is mandatory.
It doesn’t have to be the exact version (it can be 7 or 7.1 for instance) but it has to be sufficiently precise
to choose a model dialect (the one used to generate the schema) compatible with the protocol dialect (the one used
to communicate with Elasticsearch).
There’s no rule of thumb here as it depends on the schema incompatibilities introduced by Elasticsearch versions. In
any case, if there is a problem, you will have an error when Hibernate Search tries to connect to the cluster.
A bean reference to the component
used to configure the Elasticsearch layout: index names, index aliases, …
The referenced bean must implement IndexLayoutStrategy.
Available built-in implementations:
simple
The default, future-proof strategy: if the index name in Hibernate Search is myIndex,
this strategy will create an index named myindex-000001, an alias for write operations named myindex-write,
and an alias for read operations named myindex-read.
no-alias
A strategy without index aliases, mostly useful on legacy clusters:
if the index name in Hibernate Search is myIndex,
this strategy will create an index named myindex, and will not use any alias.
Instead of setting this configuration property,
you can simply annotate your custom IndexLayoutStrategy implementation with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
Path to a file in the classpath holding custom index settings to be included in the index definition
when creating an Elasticsearch index.
The provided settings will be merged with those generated by Hibernate Search, including analyzer definitions.
When analysis is configured both through an analysis configurer and these custom settings, the behavior is undefined;
it should not be relied upon.
Path to a file in the classpath holding a custom index mapping to be included in the index definition
when creating an Elasticsearch index.
The file does not need to (and generally shouldn’t) contain the full mapping:
Hibernate Search will automatically inject missing properties (index fields) in the given mapping.
Instead of setting this configuration property,
you can simply annotate your custom ElasticsearchAnalysisConfigurer implementations with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
The size of the thread pool assigned to the backend.
Note that number is per backend, not per index.
Adding more indexes will not add more threads.
As all operations happening in this thread-pool are non-blocking,
raising its size above the number of processor cores available to the JVM will not bring noticeable performance
benefit.
The only reason to alter this setting would be to reduce the number of threads;
for example, in an application with a single index with a single indexing queue,
running on a machine with 64 processor cores,
you might want to bring down the number of threads.
Defaults to the number of processor cores available to the JVM on startup.
The number of indexing queues assigned to each index.
Higher values will lead to more connections being used in parallel,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Lower values may lead to lower memory usage, especially if there are many queues,
but values that are too low will reduce the likeliness of reaching the max bulk size
and increase the likeliness of application threads blocking because the queue is full,
which may lead to lower indexing throughput.
The maximum size of bulk requests created when processing indexing queues.
Higher values will lead to more documents being sent in each HTTP request sent to Elasticsearch,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Note that raising this number above the queue size has no effect,
as bulks cannot include more requests than are contained in the queue.
Path to a file in the classpath holding custom index settings to be included in the index definition
when creating an Elasticsearch index.
The provided settings will be merged with those generated by Hibernate Search, including analyzer definitions.
When analysis is configured both through an analysis configurer and these custom settings, the behavior is undefined;
it should not be relied upon.
Path to a file in the classpath holding a custom index mapping to be included in the index definition
when creating an Elasticsearch index.
The file does not need to (and generally shouldn’t) contain the full mapping:
Hibernate Search will automatically inject missing properties (index fields) in the given mapping.
Instead of setting this configuration property,
you can simply annotate your custom ElasticsearchAnalysisConfigurer implementations with @SearchExtension
and leave the configuration property unset: Hibernate Search will use the annotated implementation automatically.
See this section
for more information.
If this configuration property is set, it takes precedence over any @SearchExtension annotation.
The number of indexing queues assigned to each index.
Higher values will lead to more connections being used in parallel,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Lower values may lead to lower memory usage, especially if there are many queues,
but values that are too low will reduce the likeliness of reaching the max bulk size
and increase the likeliness of application threads blocking because the queue is full,
which may lead to lower indexing throughput.
The maximum size of bulk requests created when processing indexing queues.
Higher values will lead to more documents being sent in each HTTP request sent to Elasticsearch,
which may lead to higher indexing throughput,
but incurs a risk of overloading Elasticsearch,
i.e. of overflowing its HTTP request buffers and tripping
circuit breakers,
leading to Elasticsearch giving up on some request and resulting in indexing failures.
Note that raising this number above the queue size has no effect,
as bulks cannot include more requests than are contained in the queue.
If management interface is turned on the reindexing endpoints will be published under the management interface.
This property allows to enable this functionality by setting it to `true.
Define whether overriding methods that override constraints should throw a ConstraintDefinitionException. The default value is false, i.e. do not allow.
See Section 4.5.5 of the JSR 380 specification, specifically
In sub types (be it sub classes/interfaces or interface implementations), no parameter constraints may be declared on overridden or implemented methods, nor may parameters be marked for cascaded validation. This would pose a strengthening of preconditions to be fulfilled by the caller.
Define whether parallel methods that define constraints should throw a ConstraintDefinitionException. The default value is false, i.e. do not allow.
See Section 4.5.5 of the JSR 380 specification, specifically
If a sub type overrides/implements a method originally defined in several parallel types of the hierarchy (e.g. two interfaces not extending each other, or a class and an interface not implemented by said class), no parameter constraints may be declared for that method at all nor parameters be marked for cascaded validation. This again is to avoid an unexpected strengthening of preconditions to be fulfilled by the caller.
Define whether more than one constraint on a return value may be marked for cascading validation are allowed. The default value is false, i.e. do not allow.
See Section 4.5.5 of the JSR 380 specification, specifically
One must not mark a method return value for cascaded validation more than once in a line of a class hierarchy. In other words, overriding methods on sub types (be it sub classes/interfaces or interface implementations) cannot mark the return value for cascaded validation if the return value has already been marked on the overridden method of the super type or interface.
Configure the Expression Language feature level for constraints, allowing the selection of Expression Language features available for message interpolation.
This property only affects the EL feature level of "static" constraint violation messages set through the message attribute of constraint annotations.
In particular, it doesn’t affect the default EL feature level for custom violations created programmatically in validator implementations. The feature level for those can only be configured directly in the validator implementation.
Sets the URI of the running Infinispan server to connect to. hotrod://localhost:11222@admin:password If provided hosts, username and password will be ignored.
Sets client intelligence used by authentication Available values: * BASIC - Means that the client doesn’t handle server topology changes and therefore will only use the list of servers supplied at configuration time. * TOPOLOGY_AWARE - Use this provider if you don’t want the client to present any certificates to the remote TLS host. * HASH_DISTRIBUTION_AWARE - Like TOPOLOGY_AWARE but with the additional advantage that each request involving keys will be routed to the server who is the primary owner which improves performance greatly. This is the default.
Sets SASL mechanism used by authentication. Available values: * DIGEST-MD5 - Uses the MD5 hashing algorithm in addition to nonces to encrypt credentials. This is the default. * EXTERNAL - Uses client certificates to provide valid identities to Infinispan Server and enable encryption. * PLAIN - Sends credentials in plain text (unencrypted) over the wire in a way that is similar to HTTP BASIC authentication. You should use PLAIN authentication only in combination with TLS encryption.
Specifies the filename of a keystore to use to create the SSLContext. You also need to specify a keyStorePassword. Setting this property implicitly enables SSL/TLS.
Specifies the filename of a truststore to use to create the SSLContext. You also need to specify a trustStorePassword. Setting this property implicitly enables SSL/TLS.
Whether a tracing propagation is enabled in case the Opentelemetry extension is present. By default the propagation of the context is propagated from the client to the Infinispan Server.
Enables or disables Protobuf generated schemas upload to the server. Set it to 'false' when you need to handle the lifecycle of the Protobuf Schemas on Server side yourself. Default is 'true'. This is a global setting and is not specific to a Infinispan Client.
Cache configuration file in XML, JSON or YAML is defined in build time to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-resource=cacheConfig.xml
Cache configuration in inlined XML to create the cache on first access. Will be ignored if the configuration-uri is provided for the same cache name. An example of the user defined property: quarkus.infinispan-client.cache.bookscache.configuration=
Cache configuration file in XML, Json or YAML whose path will be converted to URI to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-uri=cacheConfig.xml
Sets near cache mode used by the Infinispan Client Available values: * DISABLED - Means that near caching is disabled. This is the default value. * INVALIDATED - Means is near caching is invalidated, so when entries are updated or removed server-side, invalidation messages will be sent to clients to remove them from the near cache.
Sets client intelligence used by authentication Available values: * BASIC - Means that the client doesn’t handle server topology changes and therefore will only use the list of servers supplied at configuration time. * TOPOLOGY_AWARE - Use this provider if you don’t want the client to present any certificates to the remote TLS host. * HASH_DISTRIBUTION_AWARE - Like TOPOLOGY_AWARE but with the additional advantage that each request involving keys will be routed to the server who is the primary owner which improves performance greatly. This is the default.
Enables or disables Protobuf generated schemas upload to the backup. Set it to 'false' when you need to handle the lifecycle of the Protobuf Schemas on Server side yourself. Default is 'true'. This setting will be ignored if the Global Setting is set up to false.
Cache configuration file in XML, JSON or YAML is defined in build time to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-resource=cacheConfig.xml
Sets the URI of the running Infinispan server to connect to. hotrod://localhost:11222@admin:password If provided hosts, username and password will be ignored.
Sets client intelligence used by authentication Available values: * BASIC - Means that the client doesn’t handle server topology changes and therefore will only use the list of servers supplied at configuration time. * TOPOLOGY_AWARE - Use this provider if you don’t want the client to present any certificates to the remote TLS host. * HASH_DISTRIBUTION_AWARE - Like TOPOLOGY_AWARE but with the additional advantage that each request involving keys will be routed to the server who is the primary owner which improves performance greatly. This is the default.
Sets SASL mechanism used by authentication. Available values: * DIGEST-MD5 - Uses the MD5 hashing algorithm in addition to nonces to encrypt credentials. This is the default. * EXTERNAL - Uses client certificates to provide valid identities to Infinispan Server and enable encryption. * PLAIN - Sends credentials in plain text (unencrypted) over the wire in a way that is similar to HTTP BASIC authentication. You should use PLAIN authentication only in combination with TLS encryption.
Specifies the filename of a keystore to use to create the SSLContext. You also need to specify a keyStorePassword. Setting this property implicitly enables SSL/TLS.
Specifies the filename of a truststore to use to create the SSLContext. You also need to specify a trustStorePassword. Setting this property implicitly enables SSL/TLS.
Whether a tracing propagation is enabled in case the Opentelemetry extension is present. By default the propagation of the context is propagated from the client to the Infinispan Server.
Cache configuration in inlined XML to create the cache on first access. Will be ignored if the configuration-uri is provided for the same cache name. An example of the user defined property: quarkus.infinispan-client.cache.bookscache.configuration=
Cache configuration file in XML, Json or YAML whose path will be converted to URI to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-uri=cacheConfig.xml
Sets near cache mode used by the Infinispan Client Available values: * DISABLED - Means that near caching is disabled. This is the default value. * INVALIDATED - Means is near caching is invalidated, so when entries are updated or removed server-side, invalidation messages will be sent to clients to remove them from the near cache.
Sets client intelligence used by authentication Available values: * BASIC - Means that the client doesn’t handle server topology changes and therefore will only use the list of servers supplied at configuration time. * TOPOLOGY_AWARE - Use this provider if you don’t want the client to present any certificates to the remote TLS host. * HASH_DISTRIBUTION_AWARE - Like TOPOLOGY_AWARE but with the additional advantage that each request involving keys will be routed to the server who is the primary owner which improves performance greatly. This is the default.
Enables or disables Protobuf generated schemas upload to the backup. Set it to 'false' when you need to handle the lifecycle of the Protobuf Schemas on Server side yourself. Default is 'true'. This setting will be ignored if the Global Setting is set up to false.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
When the configuration is empty, an Infinispan default client is automatically created to connect to the running dev service. However, there are scenarios where creating this client is unnecessary, yet we still need to spin up an Infinispan Server. In such cases, this property serves to determine whether the client should be created by default or not by the extension.
Indicates if the Infinispan server managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Infinispan starts a new container.
The discovery uses the quarkus-dev-service-infinispan label. The value is configured using the service-name property.
The value of the quarkus-dev-service-infinispan label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Infinispan looks for a container with the quarkus-dev-service-infinispan label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-infinispan label set to the specified value.
This property is used when you need multiple shared Infinispan servers.
Add a site name to start the Infinispan Server Container with Cross Site Replication enabled (ex. lon). Cross Site Replication is the capability to connect two separate Infinispan Server Clusters that might run in different Data Centers, and configure backup caches to copy the data across the clusters with active-active or active-passive replication. See more about Cross Site Replication in the Infinispan Documentation https://infinispan.org/docs/stable/titles/xsite/xsite.html Configure mcast-port to avoid forming a cluster with any other running Infinispan Server container.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
When the configuration is empty, an Infinispan default client is automatically created to connect to the running dev service. However, there are scenarios where creating this client is unnecessary, yet we still need to spin up an Infinispan Server. In such cases, this property serves to determine whether the client should be created by default or not by the extension.
Indicates if the Infinispan server managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Infinispan starts a new container.
The discovery uses the quarkus-dev-service-infinispan label. The value is configured using the service-name property.
The value of the quarkus-dev-service-infinispan label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Infinispan looks for a container with the quarkus-dev-service-infinispan label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-infinispan label set to the specified value.
This property is used when you need multiple shared Infinispan servers.
Add a site name to start the Infinispan Server Container with Cross Site Replication enabled (ex. lon). Cross Site Replication is the capability to connect two separate Infinispan Server Clusters that might run in different Data Centers, and configure backup caches to copy the data across the clusters with active-active or active-passive replication. See more about Cross Site Replication in the Infinispan Documentation https://infinispan.org/docs/stable/titles/xsite/xsite.html Configure mcast-port to avoid forming a cluster with any other running Infinispan Server container.
If enabled, Jackson will serialize durations as numeric value(s). When disabled, they are serialized in ISO 8601 format. This is enabled by default to match the default Jackson behavior.
If set, Jackson will default to using the specified timezone when formatting dates. Some examples values are "Asia/Jakarta" and "GMT+3". If not set, Jackson will use its own default.
Defines how names of JSON properties ("external names") are derived from names of POJO methods and fields ("internal names"). The value can be one of the one of the constants in com.fasterxml.jackson.databind.PropertyNamingStrategies, so for example, LOWER_CAMEL_CASE or UPPER_CAMEL_CASE. The value can also be a fully qualified class name of a com.fasterxml.jackson.databind.PropertyNamingStrategy subclass.
If false, only quarkus-jfr events are not recorded even if JFR is enabled. In this case, Java standard API and virtual machine information will be recorded according to the setting. Default value is true
Environment variable: QUARKUS_JFR_ENABLED
Show more
boolean
true
quarkus.jfr.rest.enabled
If false, only REST events in quarkus-jfr are not recorded even if JFR is enabled. In this case, other quarkus-jfr, Java standard API and virtual machine information will be recorded according to the setting. Default value is true
Environment variable: QUARKUS_JFR_REST_ENABLED
Show more
boolean
true
JAXB
Type
Default
quarkus.jaxb.validate-jaxb-context
If enabled, it will validate the default JAXB context at build time.
Exclude classes to automatically be bound to the default JAXB context. Values with suffix .*, i.e. org.acme.*, are considered packages and exclude all classes that are members of these packages
Note that Snappy requires GraalVM 21+ and embeds a native library in the native executable. This library is unpacked and loaded when the application starts.
Whether to load the Snappy native library from the shared classloader. This setting is only used in tests if the tests are using different profiles, which would lead to unsatisfied link errors when loading Snappy.
If Dev Services for Kafka has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For Kafka, Dev Services starts a broker unless kafka.bootstrap.servers is set or if all the Reactive Messaging Kafka channel are configured with a bootstrap.servers.
Indicates if the Kafka broker managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Kafka starts a new container.
The discovery uses the quarkus-dev-service-kafka label. The value is configured using the service-name property.
The value of the quarkus-dev-service-kafka label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Kafka looks for a container with the quarkus-dev-service-kafka label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-kafka label set to the specified value.
This property is used when you need multiple shared Kafka brokers.
The topic-partition pairs to create in the Dev Services Kafka broker. After the broker is started, given topics with partitions are created, skipping already existing topics. For example, quarkus.kafka.devservices.topic-partitions.test=2 will create a topic named test with 2 partitions.
The topic creation will not try to re-partition existing topics with different number of partitions.
A comma-separated list of host:port pairs identifying the Kafka bootstrap server(s). If not set, fallback to kafka.bootstrap.servers, and if not set either use localhost:9092.
A comma-separated list of topic names. The pipeline will only be started once all these topics are present in the Kafka cluster and ignore.topics is set to false.
The schema registry key. Different schema registry libraries expect a registry URL in different configuration properties. For Apicurio Registry, use apicurio.registry.url. For Confluent schema registry, use schema.registry.url.
Keycloak server URL, for example, https://host:port. If this property is not set then the Keycloak Admin Client injection will fail - use org.keycloak.admin.client.KeycloakBuilder to create it instead.
Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled
Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested
Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted
Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled
Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested
Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted
The name of the application. This value will be used for naming Kubernetes resources like: - Deployment - Service and so on …
Environment variable: QUARKUS_KNATIVE_NAME
Show more
string
quarkus.knative.version
The version of the application.
Environment variable: QUARKUS_KNATIVE_VERSION
Show more
string
quarkus.knative.namespace
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
Whether to add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
This value controls the minimum number of replicas each revision should have. Knative will attempt to never have less than this number of replicas at any point in time.
Environment variable: QUARKUS_KNATIVE_MIN_SCALE
Show more
int
quarkus.knative.max-scale
This value controls the maximum number of replicas each revision should have. Knative will attempt to never have more than this number of replicas running, or in the process of being created, at any point in time.
Environment variable: QUARKUS_KNATIVE_MAX_SCALE
Show more
int
quarkus.knative.scale-to-zero-enabled
The scale-to-zero values control whether Knative allows revisions to scale down to zero, or stops at “1”.
The Autoscaler class. Knative Serving comes with its own autoscaler, the KPA (Knative Pod Autoscaler) but can also be configured to use Kubernetes’ HPA (Horizontal Pod Autoscaler) or even a custom third-party autoscaler. Possible values (kpa, hpa, default: kpa).
The exact amount of requests allowed to the replica at a time. Its default value is “0”, which means an unlimited number of requests are allowed to flow into the replica.
The Autoscaler class. Knative Serving comes with its own autoscaler, the KPA (Knative Pod Autoscaler) but can also be configured to use Kubernetes’ HPA (Horizontal Pod Autoscaler) or even a custom third-party autoscaler. Possible values (kpa, hpa, default: kpa).
The exact amount of requests allowed to the replica at a time. Its default value is “0”, which means an unlimited number of requests are allowed to flow Integer>o the replica.
LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty.
Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is to be routed to this Revision or Configuration. 0 (zero) mean no traffic, 100 means all traffic.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
quarkus.knative.deploy
If set to true, Quarkus will attempt to deploy the application to the target knative cluster
Environment variable: QUARKUS_KNATIVE_DEPLOY
Show more
boolean
false
quarkus.knative.deploy-strategy
If deploy is enabled, it will follow this strategy to update the resources to the target Knative cluster.
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
Whether to add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The target deployment platform. Defaults to kubernetes. Can be kubernetes, openshift, knative, minikube etc., or any combination of the above as comma separated list.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
quarkus.kubernetes.container-name
If set, it will change the name of the container according to the configuration
If enabled, it means the JVM will wait for the debugger to attach before executing the main class. If false, the JVM will immediately execute the main class, while listening for the debugger connection.
The OpenShift flavor / version to use. Older versions of OpenShift have minor differences in the labels and fields they support. This option allows users to have their manifests automatically aligned to the OpenShift 'flavor' they use.
Environment variable: QUARKUS_OPENSHIFT_FLAVOR
Show more
v3, v4
v4
quarkus.openshift.deployment-kind
The kind of the deployment resource to use. Supported values are 'Deployment', 'StatefulSet', 'Job', 'CronJob' and 'DeploymentConfig'. Defaults to 'DeploymentConfig' if flavor == v3, or 'Deployment' otherwise. DeploymentConfig is deprecated as of OpenShift 4.14. See https://access.redhat.com/articles/7041372 for details.
The name of the application. This value will be used for naming Kubernetes resources like: 'Deployment', 'Service' and so on…
Environment variable: QUARKUS_OPENSHIFT_NAME
Show more
string
quarkus.openshift.version
The version of the application.
Environment variable: QUARKUS_OPENSHIFT_VERSION
Show more
string
quarkus.openshift.namespace
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
Add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
If enabled, it means the JVM will wait for the debugger to attach before executing the main class. If false, the JVM will immediately execute the main class, while listening for the debugger connection.
Enable the generation of the RBAC manifests. If enabled and no other role binding are provided using the properties quarkus.kubernetes.rbac., it will generate a default role binding using the role "view" and the application service account.
If Dev Services for Kubernetes should be used. (default to true) If this is true and kubernetes client is not configured then a kubernetes cluster will be started and will be used.
Indicates if the Kubernetes cluster managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Kubernetes starts a new container.
The discovery uses the quarkus-dev-service-kubernetes label. The value is configured using the service-name property.
The value of the quarkus-dev-service-kubernetes label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Kubernetes looks for a container with the quarkus-dev-service-kubernetes label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-kubernetes label set to the specified value.
This property is used when you need multiple shared Kubernetes clusters.
Whether configuration can be read from secrets. If set to true, Kubernetes resources allowing access to secrets (role and role binding) will be generated.
ConfigMaps to look for in the namespace that the Kubernetes Client has been configured for. ConfigMaps defined later in this list have a higher priority that ConfigMaps defined earlier in this list. Furthermore, any Secrets defined in secrets, will have higher priorities than all ConfigMaps.
Secrets to look for in the namespace that the Kubernetes Client has been configured for. If you use this, you probably want to enable quarkus.kubernetes-config.secrets.enabled. Secrets defined later in this list have a higher priority that ConfigMaps defined earlier in this list. Furthermore, these Secrets have a higher priorities than all ConfigMaps defined in configMaps.
Namespace to look for config maps and secrets. If this is not specified, then the namespace configured in the kubectl config context is used. If the value is specified and the namespace doesn’t exist, the application will fail to start.
The username that Liquibase uses to connect to the database. If no specific username is configured, falls back to the datasource username and password.
Environment variable: QUARKUS_LIQUIBASE_USERNAME
Show more
string
quarkus.liquibase.password
The password that Liquibase uses to connect to the database. If no specific password is configured, falls back to the datasource username and password.
Environment variable: QUARKUS_LIQUIBASE_PASSWORD
Show more
string
quarkus.liquibase.liquibase-catalog-name
The name of the catalog with the liquibase tables.
The username that Liquibase uses to connect to the database. If no specific username is configured, falls back to the datasource username and password.
The password that Liquibase uses to connect to the database. If no specific password is configured, falls back to the datasource username and password.
Only used when extractStackTrace is true. A value of 0 will extract the whole stack trace. Any positive value will walk the cause chain: 1 corresponds with exception.getCause(), 2 with exception.getCause().getCause(), … Negative throwable reference walk the exception chain from the root cause side: -1 will extract the root cause, -2 the exception wrapping the root cause, …
Additional field type specification. Supported types: String, long, Long, double, Double and discover. Discover is the default if not specified, it discovers field type based on parseability.
Send additional fields whose values are obtained from MDC. Name of the Fields are comma-separated. Example: mdcFields=Application,Version,SomeOtherFieldName
Dynamic MDC Fields allows you to extract MDC values based on one or more regular expressions. Multiple regexes are comma-separated. The name of the MDC entry is used as GELF field name.
Pattern-based type specification for additional and MDC fields. Key-value pairs are comma-separated. Example: my_field.*=String,business\..*\.field=double
Printing the details can be expensive as the values are retrieved from the caller. The details include the source class name, source file name, source method name, and source line number.
Printing the details can be expensive as the values are retrieved from the caller. The details include the source class name, source file name, source method name, and source line number.
Printing the details can be expensive as the values are retrieved from the caller. The details include the source class name, source file name, source method name, and source line number.
The SMTP port. The default value depends on the configuration. The port 25 is used as default when ssl is disabled. This port continues to be used primarily for SMTP relaying. SMTP relaying is the transmission of email from email server to email server. The port 587 is the default port when ssl is enabled. It ensures that email is submitted securely.
Note that the port 465 may be used by SMTP servers, however, IANA has reassigned a new service to this port, and it should no longer be used for SMTP communications.
Environment variable: QUARKUS_MAILER_PORT
Show more
int
quarkus.mailer.username
Sets the username to connect to the SMTP server.
Environment variable: QUARKUS_MAILER_USERNAME
Show more
string
quarkus.mailer.password
Sets the password to connect to the SMTP server.
Environment variable: QUARKUS_MAILER_PASSWORD
Show more
string
quarkus.mailer.tls-configuration-name
The name of the TLS configuration to use.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration name is set then, the specific TLS configuration (from quarkus.mailer.*) will be used.
The default TLS configuration is not used by default.
Whether the connection should be secured using TLS.
SMTP allows establishing connection with or without TLS. When establishing a connection with TLS, the connection is secured and encrypted. When establishing a connection without TLS, it can be secured and encrypted later using the STARTTLS command. In this case, the connection is initially unsecured and unencrypted. To configure this case, set this property to false and start-tls to REQUIRED Note that if a TLS configuration is set, TLS is enabled automatically. So, setting this property to false is required to not establish a connection with TLS.
Environment variable: QUARKUS_MAILER_TLS
Show more
boolean
quarkus.mailer.max-pool-size
Sets the max number of open connections to the mail server.
Sets if connection pool is enabled. If the connection pooling is disabled, the max number of sockets is enforced nevertheless.
Environment variable: QUARKUS_MAILER_KEEP_ALIVE
Show more
boolean
true
quarkus.mailer.disable-esmtp
Disable ESMTP.
The RFC-1869 states that clients should always attempt EHLO as first command to determine if ESMTP is supported, if this returns an error code, HELO is tried to use the regular SMTP command.
Sets the login mode for the connection. Either NONE, @{code DISABLED}, OPTIONAL, REQUIRED or XOAUTH2.
DISABLED means no login will be attempted
NONE means a login will be attempted if the server supports in and login credentials are set
REQUIRED means that a login will be attempted if the server supports it and the send operation will fail otherwise
XOAUTH2 means that a login will be attempted using Google Gmail Oauth2 tokens
Environment variable: QUARKUS_MAILER_LOGIN
Show more
string
NONE
quarkus.mailer.auth-methods
Sets the allowed authentication methods. These methods will be used only if the server supports them. If not set, all supported methods may be used.
The list is given as a space separated list, such as DIGEST-MD5 CRAM-SHA256 CRAM-SHA1 CRAM-MD5 PLAIN LOGIN.
Environment variable: QUARKUS_MAILER_AUTH_METHODS
Show more
string
quarkus.mailer.multi-part-only
Whether the mail should always been sent as multipart even if they don’t have attachments. When sets to true, the mail message will be encoded as multipart even for simple mails without attachments.
Set the keep alive timeout for the SMTP connection. This value determines how long a connection remains unused in the pool before being evicted and closed. A timeout of 0 means there is no timeout.
Approved recipients are compiled to a Pattern and must be a valid regular expression. The created Pattern is case-insensitive as emails are case insensitive. Provided patterns are trimmed before being compiled.
The SMTP port. The default value depends on the configuration. The port 25 is used as default when ssl is disabled. This port continues to be used primarily for SMTP relaying. SMTP relaying is the transmission of email from email server to email server. The port 587 is the default port when ssl is enabled. It ensures that email is submitted securely.
Note that the port 465 may be used by SMTP servers, however, IANA has reassigned a new service to this port, and it should no longer be used for SMTP communications.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration name is set then, the specific TLS configuration (from quarkus.mailer.*) will be used.
The default TLS configuration is not used by default.
Whether the connection should be secured using TLS.
SMTP allows establishing connection with or without TLS. When establishing a connection with TLS, the connection is secured and encrypted. When establishing a connection without TLS, it can be secured and encrypted later using the STARTTLS command. In this case, the connection is initially unsecured and unencrypted. To configure this case, set this property to false and start-tls to REQUIRED Note that if a TLS configuration is set, TLS is enabled automatically. So, setting this property to false is required to not establish a connection with TLS.
The RFC-1869 states that clients should always attempt EHLO as first command to determine if ESMTP is supported, if this returns an error code, HELO is tried to use the regular SMTP command.
Whether the mail should always been sent as multipart even if they don’t have attachments. When sets to true, the mail message will be encoded as multipart even for simple mails without attachments.
Set the keep alive timeout for the SMTP connection. This value determines how long a connection remains unused in the pool before being evicted and closed. A timeout of 0 means there is no timeout.
Approved recipients are compiled to a Pattern and must be a valid regular expression. The created Pattern is case-insensitive as emails are case insensitive. Provided patterns are trimmed before being compiled.
Whether it should automatically configure the connector attribute of channels that don’t have an upstream source (for incoming channels), or a downstream consumer (for outgoing channels). When enabled, it verifies that there is only a single connector on the classpath. In that case, it automatically associates the orphans channel to the connector, removing the need to add the .connector attribute in the application configuration.
If Dev Services for AMQP has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For AMQP, Dev Services starts a broker unless amqp-host or amqp-port are set or if all the Reactive Messaging AMQP channel are configured with host or port.
The image to use. Note that only ActiveMQ Artemis images are supported. Specifically, the image repository must end with artemiscloud/activemq-artemis-broker.
The value of the AMQ_EXTRA_ARGS environment variable to pass to the container. For ActiveMQ Artemis Broker ⇐ 1.0.21, set this property to --no-autotune --mapped --no-fsync --relax-jolokia --http-host 0.0.0.0
Indicates if the AMQP broker managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for AMQP starts a new container.
The discovery uses the quarkus-dev-service-amqp label. The value is configured using the service-name property.
The value of the quarkus-dev-service-aqmp label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for AMQP looks for a container with the quarkus-dev-service-amqp label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-amqp label set to the specified value.
This property is used when you need multiple shared AMQP brokers.
Whether Kafka serializer/deserializer generation is enabled. When no serializer/deserializer are found and not set, Quarkus generates a Jackson-based serde.
Enables the graceful shutdown in dev and test modes. The graceful shutdown waits until the inflight records have been processed and the offset committed to Kafka. While this setting is highly recommended in production, in dev and test modes, it’s disabled by default. This setting allows to re-enable it.
If Dev Services for MQTT has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For MQTT, Dev Services starts a broker unless *.host or *.port are set for one of the connectors or if all the Reactive Messaging MQTT channel are configured with host or port.
Indicates if the MQTT broker managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for MQTT starts a new container.
The discovery uses the quarkus-dev-service-mqtt label. The value is configured using the service-name property.
The value of the quarkus-dev-service-mqtt label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for MQTT looks for a container with the quarkus-dev-service-mqtt label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-mqtt label set to the specified value.
This property is used when you need multiple shared MQTT brokers.
If Dev Services for Pulsar has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For Pulsar, Dev Services starts a broker unless pulsar.client.serviceUrl is set or if all the Reactive Messaging Pulsar channel are configured with serviceUrl.
The image to use. Note that only Apache Pulsar images are supported. Specifically, the image repository must end with apachepulsar/pulsar. Check https://hub.docker.com/r/apachepulsar/pulsar to find the available versions.
Indicates if the Pulsar broker managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Pulsar starts a new container.
The discovery uses the quarkus-dev-service-pulsar label. The value is configured using the service-name property.
The value of the quarkus-dev-service-pulsar label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Pulsar looks for a container with the quarkus-dev-service-pulsar label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-pulsar label set to the specified value.
This property is used when you need multiple shared Pulsar brokers.
If Dev Services for RabbitMQ has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For RabbitMQ, Dev Services starts a broker unless rabbitmq-host or rabbitmq-port are set or if all the Reactive Messaging RabbitMQ channel are configured with host or port.
Indicates if the RabbitMQ broker managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for RabbitMQ starts a new container.
The discovery uses the quarkus-dev-service-rabbitmq label. The value is configured using the service-name property.
The value of the quarkus-dev-service-rabbitmq label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for RabbitMQ looks for a container with the quarkus-dev-service-rabbitmq label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-rabbitmq label set to the specified value.
This property is used when you need multiple shared RabbitMQ brokers.
This is a bean name (as in @Named) of a bean that implements CredentialsProvider. It is used to select the credentials provider bean when multiple exist. This is unnecessary when there is only one credentials provider available.
For Vault, the credentials provider bean name is vault-credentials-provider.
Support for HTTP client metrics will be enabled if Micrometer support is enabled, the REST client feature is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for HTTP server metrics will be enabled if Micrometer support is enabled, an extension serving HTTP traffic is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for JVM metrics will be enabled if Micrometer support is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Kafka metrics will be enabled if Micrometer support is enabled, the Kafka Consumer or Producer interface is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Redis metrics will be enabled if Micrometer support is enabled, the Quarkus Redis client extension is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Stork metrics will be enabled if Micrometer support is enabled, the Quarkus Stork extension is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for gRPC server metrics will be enabled if Micrometer support is enabled, the gRPC server interfaces are on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for gRPC client metrics will be enabled if Micrometer support is enabled, the gRPC client interfaces are on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Reactive Messaging metrics will be enabled if Micrometer support is enabled, MessageObservationCollector interface is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
The Micrometer extension currently provides a compatibility layer that supports the MP Metrics API,
but metric names and recorded values will be different.
Note that the MP Metrics compatibility layer will move to a different extension in the future.
Support for System metrics will be enabled if Micrometer support is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Vert.x metrics will be enabled if Micrometer support is enabled, Vert.x MetricsOptions is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Netty metrics will be enabled if Micrometer support is enabled, the Netty allocator classes are on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
The path for the JSON metrics endpoint. The default value is metrics. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}. If the management interface is enabled, the value will be resolved as a path relative to ${quarkus.management.root-path}.
Statistics like max, percentiles, and histogram counts decay over time to give greater weight to recent samples. Samples are accumulated to such statistics in ring buffers which rotate after the expiry, with this buffer length.
Statistics like max, percentiles, and histogram counts decay over time to give greater weight to recent samples. Samples are accumulated to such statistics in ring buffers which rotate after this expiry, with a particular buffer length.
Support for Prometheus will be enabled if Micrometer support is enabled, the PrometheusMeterRegistry is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.registry-enabled-default is true.
The path for the prometheus metrics endpoint (produces text/plain). The default value is
metrics and is resolved relative to the non-application endpoint (q), e.g.
${quarkus.http.root-path}/${quarkus.http.non-application-root-path}/metrics.
If an absolute path is specified (/metrics), the prometheus endpoint will be served
from the configured path.
Comma-separated list of regular expressions used to specify uri
labels in http metrics.
Vertx instrumentation will attempt to transform parameterized
resource paths, /item/123, into a generic form, /item/{id},
to reduce the cardinality of uri label values.
Patterns specified here will take precedence over those computed
values.
For example, if /item/\\\\d+=/item/custom or
/item/[0-9]+=/item/custom is specified in this list,
a request to a matching path (/item/123) will use the specified
replacement value (/item/custom) as the value for the uri label.
Note that backslashes must be double escaped as \\\\.
Suppress non-application uris from metrics collection.
This will suppress all metrics for non-application endpoints using
${quarkus.http.root-path}/${quarkus.http.non-application-root-path}.
Suppressing non-application uris is enabled by default.
Maximum number of unique URI tag values allowed. After the max number of tag values is reached, metrics with additional tag values are denied by filter.
Comma-separated list of regular expressions used to specify uri
labels in http metrics.
Outbount HTTP client instrumentation will attempt to transform parameterized
resource paths, /item/123, into a generic form, /item/{id},
to reduce the cardinality of uri label values.
Patterns specified here will take precedence over those computed
values.
For example, if /item/\\\\d+=/item/custom or
/item/[0-9]+=/item/custom is specified in this list,
a request to a matching path (/item/123) will use the specified
replacement value (/item/custom) as the value for the uri label.
Note that backslashes must be double escaped as \\\\.
Maximum number of unique URI tag values allowed. After the max number of tag values is reached, metrics with additional tag values are denied by filter.
Configures the connection string. The format is: mongodb://[username:password@]host1[:port1][,host2[:port2],…[,hostN[:portN]]][/[database.collection][?options]]
mongodb:// is a required prefix to identify that this is a string in the standard connection format.
username:password@ are optional. If given, the driver will attempt to log in to a database after connecting to a database server. For some authentication mechanisms, only the username is specified and the password is not, in which case the ":" after the username is left off as well.
host1 is the only required part of the connection string. It identifies a server address to connect to.
:portX is optional and defaults to :27017 if not provided.
/database is the name of the database to log in to and thus is only relevant if the username:password@ syntax is used. If not specified the admin database will be used by default.
?options are connection options. Note that if database is absent there is still a / required between the last host and the ? introducing the options. Options are name=value pairs and the pairs are separated by "&".
An alternative format, using the mongodb+srv protocol, is:
mongodb+srv:// is a required prefix for this format.
username:password@ are optional. If given, the driver will attempt to login to a database after connecting to a database server. For some authentication mechanisms, only the username is specified and the password is not, in which case the ":" after the username is left off as well
host is the only required part of the URI. It identifies a single host name for which SRV records are looked up from a Domain Name Server after prefixing the host name with "_mongodb._tcp". The host/port for each SRV record becomes the seed list used to connect, as if each one were provided as host/port pair in a URI using the normal mongodb protocol.
/database is the name of the database to login to and thus is only relevant if the username:password@ syntax is used. If not specified the "admin" database will be used by default.
?options are connection options. Note that if database is absent there is still a / required between the last host and the ? introducing the options. Options are name=value pairs and the pairs are separated by "&". Additionally with the mongodb+srv protocol, TXT records are looked up from a Domain Name Server for the given host, and the text value of each one is prepended to any options on the URI itself. Because the last specified value for any option wins, that means that options provided on the URI will override any that are provided via TXT records.
When choosing among multiple MongoDB servers to send a request, the driver will only send that request to a server whose ping time is less than or equal to the server with the fastest ping time plus the local threshold.
This property configures the DNS server. If the server is not set, it tries to read the first nameserver from /etc /resolv.conf (if the file exists), otherwise fallback to the default.
Configures the connection string. The format is: mongodb://[username:password@]host1[:port1][,host2[:port2],…[,hostN[:portN]]][/[database.collection][?options]]
mongodb:// is a required prefix to identify that this is a string in the standard connection format.
username:password@ are optional. If given, the driver will attempt to log in to a database after connecting to a database server. For some authentication mechanisms, only the username is specified and the password is not, in which case the ":" after the username is left off as well.
host1 is the only required part of the connection string. It identifies a server address to connect to.
:portX is optional and defaults to :27017 if not provided.
/database is the name of the database to log in to and thus is only relevant if the username:password@ syntax is used. If not specified the admin database will be used by default.
?options are connection options. Note that if database is absent there is still a / required between the last host and the ? introducing the options. Options are name=value pairs and the pairs are separated by "&".
An alternative format, using the mongodb+srv protocol, is:
mongodb+srv:// is a required prefix for this format.
username:password@ are optional. If given, the driver will attempt to login to a database after connecting to a database server. For some authentication mechanisms, only the username is specified and the password is not, in which case the ":" after the username is left off as well
host is the only required part of the URI. It identifies a single host name for which SRV records are looked up from a Domain Name Server after prefixing the host name with "_mongodb._tcp". The host/port for each SRV record becomes the seed list used to connect, as if each one were provided as host/port pair in a URI using the normal mongodb protocol.
/database is the name of the database to login to and thus is only relevant if the username:password@ syntax is used. If not specified the "admin" database will be used by default.
?options are connection options. Note that if database is absent there is still a / required between the last host and the ? introducing the options. Options are name=value pairs and the pairs are separated by "&". Additionally with the mongodb+srv protocol, TXT records are looked up from a Domain Name Server for the given host, and the text value of each one is prepended to any options on the URI itself. Because the last specified value for any option wins, that means that options provided on the URI will override any that are provided via TXT records.
When choosing among multiple MongoDB servers to send a request, the driver will only send that request to a server whose ping time is less than or equal to the server with the fastest ping time plus the local threshold.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode.
Indicates if the MongoDB server managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for MongoDB starts a new container.
The discovery uses the quarkus-dev-service-mongodb label. The value is configured using the service-name property.
The value of the quarkus-dev-service-mongodb label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for MongoDB looks for a container with the quarkus-dev-service-mongodb label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise it starts a new container with the quarkus-dev-service-mongodb label set to the specified value.
Configures the safety. If set to true: the driver ensures that all writes are acknowledged by the MongoDB server, or else throws an exception. (see also w and wtimeoutMS). If set fo
- false: the driver does not ensure that all writes are acknowledged by the MongoDB server.
Configures the journal writing aspect. If set to true: the driver waits for the server to group commit to the journal file on disk. If set to false: the driver does not wait for the server to group commit to the journal file on disk.
When set, the driver adds w: wValue to all write commands. It requires safe to be true. The value is typically a number, but can also be the majority string.
Configures the authentication mechanism to use if a credential was supplied. The default is unspecified, in which case the client will pick the most secure mechanism available based on the sever version. For the GSSAPI and MONGODB-X509 mechanisms, no password is accepted, only the username. Supported values: null or GSSAPI|PLAIN|MONGODB-X509|SCRAM_SHA_1|SCRAM_SHA_256|MONGODB_AWS
Configures the source of the authentication credentials. This is typically the database where the credentials have been created. The value defaults to the database specified in the path portion of the connection string or in the 'database' configuration property. If the database is specified in neither place, the default value is admin. This option is only respected when using the MONGO-CR mechanism (the default).
This is a bean name (as in @Named) of a bean that implements CredentialsProvider. It is used to select the credentials provider bean when multiple exist. This is unnecessary when there is only one credentials provider available.
For Vault, the credentials provider bean name is vault-credentials-provider.
Configures the safety. If set to true: the driver ensures that all writes are acknowledged by the MongoDB server, or else throws an exception. (see also w and wtimeoutMS). If set fo
- false: the driver does not ensure that all writes are acknowledged by the MongoDB server.
Configures the journal writing aspect. If set to true: the driver waits for the server to group commit to the journal file on disk. If set to false: the driver does not wait for the server to group commit to the journal file on disk.
When set, the driver adds w: wValue to all write commands. It requires safe to be true. The value is typically a number, but can also be the majority string.
Configures the authentication mechanism to use if a credential was supplied. The default is unspecified, in which case the client will pick the most secure mechanism available based on the sever version. For the GSSAPI and MONGODB-X509 mechanisms, no password is accepted, only the username. Supported values: null or GSSAPI|PLAIN|MONGODB-X509|SCRAM_SHA_1|SCRAM_SHA_256|MONGODB_AWS
Configures the source of the authentication credentials. This is typically the database where the credentials have been created. The value defaults to the database specified in the path portion of the connection string or in the 'database' configuration property. If the database is specified in neither place, the default value is admin. This option is only respected when using the MONGO-CR mechanism (the default).
This is a bean name (as in @Named) of a bean that implements CredentialsProvider. It is used to select the credentials provider bean when multiple exist. This is unnecessary when there is only one credentials provider available.
For Vault, the credentials provider bean name is vault-credentials-provider.
Whether the node name should be shortened if necessary. The node name must not exceed a length of 28 bytes. If this property is set to true, and the node name exceeds 28 bytes, the node name is shortened by calculating the SHA-224 hash, which has a length of 28 bytes.
The REST endpoint on which a coordinator is running. In order for an LRA to begin and end successfully and in order to join with an existing LRA, this coordinator must be available whenever a service method annotated with @LRA is invoked. In this version of the extension, a failed coordinator with LRAs that have not yet finished must be restarted.
The value configuring the io.netty.allocator.maxOrder system property of Netty. The default value is 3. Configuring this property overrides the minimum maxOrder requested by the extensions. This property affects the memory consumption of the application. It must be used carefully. More details on https://programmer.group/pool-area-of-netty-memory-pool.html.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
When DevServices is enabled Quarkus will attempt to automatically configure and start a containers when running in Dev or Test mode and when Docker is running.
Indicates if the container managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services starts a new container.
The discovery uses the quarkus-dev-service-label label. The value is configured using the service-name property.
The value of the quarkus-dev-service label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for looks for a container with the quarkus-dev-service label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service label set to the specified value.
This property is used when you need multiple shared containers.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
When DevServices is enabled Quarkus will attempt to automatically configure and start a containers when running in Dev or Test mode and when Docker is running.
Flag to enable (default) or disable Dev Services. When enabled, Dev Services for Keycloak automatically configures and starts Keycloak in Dev or Test mode, and when Docker is running.
The container image name for Dev Services providers. Defaults to a Quarkus-based Keycloak image. For a WildFly-based distribution, use an image like quay.io/keycloak/keycloak:19.0.3-legacy. Keycloak Quarkus and WildFly images are initialized differently. Dev Services for Keycloak will assume it is a Keycloak Quarkus image unless the image version ends with -legacy. Override with quarkus.keycloak.devservices.keycloak-x-image.
Indicates if a Keycloak-X image is used. By default, the image is identified by keycloak-x in the image name. For custom images, override with quarkus.keycloak.devservices.keycloak-x-image. You do not need to set this property if the default check works.
Determines if the Keycloak container is shared. When shared, Quarkus uses label-based service discovery to find and reuse a running Keycloak container, so a second one is not started. Otherwise, if a matching container is not is found, a new container is started. The service discovery uses the quarkus-dev-service-label label, whose value is set by the service-name property. Container sharing is available only in dev mode.
The value of the quarkus-dev-service-keycloak label for identifying the Keycloak container. Used in shared mode to locate an existing container with this label. If not found, a new container is initialized with this label. Applicable only in dev mode.
A comma-separated list of class or file system paths to Keycloak realm files. This list is used to initialize Keycloak. The first value in this list is used to initialize default tenant connection properties.
Aliases to additional class or file system resources that are used to initialize Keycloak. Each map entry represents a mapping between an alias and a class or file system resource path.
Additional class or file system resources that are used to initialize Keycloak. Each map entry represents a mapping between a class or file system resource path alias and the Keycloak container location.
Keycloak start command. Use this property to experiment with Keycloak start options, see https://www.keycloak.org/server/all-config. Note, it is ignored when loading legacy Keycloak WildFly images.
The name of the Keycloak realm. This property is used to create the realm if the realm file pointed to by the realm-path property does not exist. The default value is quarkus in this case. It is recommended to always set this property so that Dev Services for Keycloak can identify the realm name without parsing the realm file.
Specifies whether to create the Keycloak realm when no realm file is found at the realm-path. Set to false if the realm is to be created using either the Keycloak Administration Console or the Keycloak Admin API provided by io.quarkus.test.common.QuarkusTestResourceLifecycleManager.
Specifies whether to create the default client id quarkus-app with a secret secret`and register them as `quarkus.oidc.client.id and quarkus.oidc.credentials.secret properties, if the create-realm property is set to true. Set to false if clients have to be created using either the Keycloak Administration Console or the Keycloak Admin API provided by io.quarkus.test.common.QuarkusTestResourceLifecycleManager or registered dynamically.
Specifies whether to start the container even if the default OIDC tenant is disabled. Setting this property to true may be necessary in a multi-tenant OIDC setup, especially when OIDC tenants are created dynamically.
A map of Keycloak usernames to passwords. If empty, default users alice and bob are created with their names as passwords. This map is used for user creation when no realm file is found at the realm-path.
A map of roles for Keycloak users. If empty, default roles are assigned: alice receives admin and user roles, while other users receive user role. This map is used for role creation when no realm file is found at the realm-path.
The WebClient timeout. Use this property to configure how long an HTTP client used by Dev UI handlers will wait for a response when requesting tokens from OpenId Connect Provider and sending them to the service endpoint. This timeout is also used by the OIDC dev service admin client.
Enable the registration of the Default TokenIntrospection and UserInfo Cache implementation bean. Note: This only enables the default implementation. It requires configuration to be activated. See OidcConfig#tokenCache.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. Do not set this property if you use 'quarkus-oidc' and the public key verification (public-key) or certificate chain verification only (certificate-chain) is required. The OIDC discovery endpoint is called by default by appending a .well-known/openid-configuration path to this URL. For Keycloak, use https://host:port/realms/{realm}, replacing {realm} with the Keycloak realm name.
The relative path or absolute URL of the OIDC dynamic client registration endpoint. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to 20S allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the connection-retry-count property instead.
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from connection-delay, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting.
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
The maximum size of the connection pool used by the WebClient.
Environment variable: QUARKUS_OIDC_MAX_POOL_SIZE
Show more
int
quarkus.oidc.proxy.host
The host name or IP address of the Proxy.
Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy.
Environment variable: QUARKUS_OIDC_PROXY_HOST
Show more
string
quarkus.oidc.proxy.port
The port number of the Proxy. The default value is 80.
Environment variable: QUARKUS_OIDC_PROXY_PORT
Show more
int
80
quarkus.oidc.proxy.username
The username, if the Proxy needs authentication.
Environment variable: QUARKUS_OIDC_PROXY_USERNAME
Show more
string
quarkus.oidc.proxy.password
The password, if the Proxy needs authentication.
Environment variable: QUARKUS_OIDC_PROXY_PASSWORD
Show more
string
quarkus.oidc.tls.tls-configuration-name
The name of the TLS configuration to use.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
The default TLS configuration is not used by default.
The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
Environment variable: QUARKUS_OIDC_TOKEN_PATH
Show more
string
quarkus.oidc.revoke-path
The relative path or absolute URL of the OIDC token revocation endpoint.
Environment variable: QUARKUS_OIDC_REVOKE_PATH
Show more
string
quarkus.oidc.client-id
The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if application-type is service and no token introspection is required.
Environment variable: QUARKUS_OIDC_CLIENT_ID
Show more
string
quarkus.oidc.client-name
The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider’s dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client.
Environment variable: QUARKUS_OIDC_CLIENT_NAME
Show more
string
quarkus.oidc.credentials.secret
The client secret used by the client_secret_basic authentication method. Must be set unless a secret is set in client-secret or jwt client authentication is required. You can use client-secret.value instead, but both properties are mutually exclusive.
The client secret value. This value is ignored if credentials.secret is set. Must be set unless a secret is set in client-secret or jwt client authentication is required.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
basicclient_secret_basic (default)\: The client id and secret are submitted with the HTTP Authorization Basic scheme., postclient_secret_post\: The client id and secret are submitted as the client_id and client_secret form parameters., post-jwtclient_secret_jwt\: The client id and generated JWT secret are submitted as the client_id and client_secret form parameters., queryclient id and secret are submitted as HTTP query parameters. This option is only supported by the OIDC extension.
quarkus.oidc.credentials.jwt.source
JWT token source: OIDC provider client or an existing JWT bearer token.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key-file and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.
A unique tenant identifier. It can be set by TenantConfigResolver providers, which resolve the tenant configuration dynamically.
Environment variable: QUARKUS_OIDC_TENANT_ID
Show more
string
quarkus.oidc.tenant-enabled
If this tenant configuration is enabled. The default tenant is disabled if it is not configured but a TenantConfigResolver that resolves tenant configurations is registered, or named tenants are configured. In this case, you do not need to disable the default tenant.
Environment variable: QUARKUS_OIDC_TENANT_ENABLED
Show more
boolean
true
quarkus.oidc.application-type
The application type, which can be one of the following ApplicationType values.
web-appA WEB_APP is a client that serves pages, usually a front-end application. For this type of client the Authorization Code Flow is defined as the preferred method for authenticating users., serviceA SERVICE is a client that has a set of protected HTTP resources, usually a backend application following the RESTful Architectural Design. For this type of client, the Bearer Authorization method is defined as the preferred method for authenticating and authorizing users., hybridA combined SERVICE and WEB_APP client. For this type of client, the Bearer Authorization method is used if the Authorization header is set and Authorization Code Flow - if not.
serviceA {@code SERVICE} is a client that has a set of protected HTTP resources, usually a backend application following the RESTful Architectural Design. For this type of client, the Bearer Authorization method is defined as the preferred method for authenticating and authorizing users.
quarkus.oidc.authorization-path
The relative path or absolute URL of the OpenID Connect (OIDC) authorization endpoint, which authenticates users. You must set this property for web-app applications if OIDC discovery is disabled. This property is ignored if OIDC discovery is enabled.
The relative path or absolute URL of the OIDC UserInfo endpoint. You must set this property for web-app applications if OIDC discovery is disabled and the authentication.user-info-required property is enabled. This property is ignored if OIDC discovery is enabled.
Environment variable: QUARKUS_OIDC_USER_INFO_PATH
Show more
string
quarkus.oidc.introspection-path
Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JSON Web Token (JWT) tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens must be verified or 2) JWT tokens must be verified while the cached JWK verification set with no matching JWK is being refreshed. This property is ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC JSON Web Key Set (JWKS) endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property is ignored if the discovery is enabled.
Environment variable: QUARKUS_OIDC_JWKS_PATH
Show more
string
quarkus.oidc.end-session-path
Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the web-app applications is required. This property is ignored if the discovery is enabled.
The paths which must be secured by this tenant. Tenant with the most specific path wins.
Please see the Configure tenant paths
section of the OIDC multitenancy guide for explanation of allowed path patterns.
Environment variable: QUARKUS_OIDC_TENANT_PATHS
Show more
list of string
quarkus.oidc.public-key
The public key for the local JWT token verification. OIDC server connection is not created when this property is set.
A list of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments. Each segment represents a JSON object name only; for example: "realm/groups". Use double quotes with the namespace-qualified claim names. This property can be used if a token has no groups claim but has the groups set in one or more different claims.
The separator for splitting strings that contain multiple group values. It is only used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space is used by default because the standard scope claim can contain a space-separated sequence.
idtokenID Token - the default value for the web-app applications., accesstokenAccess Token - the default value for the service applications; can also be used as the source of roles for the web-app applications., userinfoUser Info
quarkus.oidc.token.issuer
The expected issuer iss claim value. This property overrides the issuer property, which might be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host, IP address, or tenant id of the provider, you can skip the issuer verification by setting this property to any, but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.
Environment variable: QUARKUS_OIDC_TOKEN_ISSUER
Show more
string
quarkus.oidc.token.audience
The expected audience aud claim value, which can be a string or an array of strings. Note the audience claim is verified for ID tokens by default. ID token audience must be equal to the value of quarkus.oidc.client-id property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to any if your provider does not set ID token audience` claim. Audience verification for access tokens is only done if this property is configured.
Environment variable: QUARKUS_OIDC_TOKEN_AUDIENCE
Show more
list of string
quarkus.oidc.token.subject-required
Require that the token includes a sub (subject) claim which is a unique and never reassigned identifier for the current user. Note that if you enable this property and if UserInfo is also required, both the token and UserInfo sub claims must be present and match each other.
A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.
Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.
Token age. It allows for the number of seconds to be specified that must not elapse since the iat (issued at) time. A small leeway to account for clock skew which can be configured with quarkus.oidc.token.lifespan-grace to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid (exp) expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an exp claim. However, even if the current logout token is allowed to have no exp claim, the exp claim is still verified if the logout token contains it.
Require that the token includes a iat (issued at) claim Set this property to false if your JWT token does not contain an iat (issued at) claim. Note that ID token is always required to have an iat claim and therefore this property has no impact on the ID token verification process.
Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a nonzero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}. This property is enabled if quarkus.oidc.token.refresh-token-time-skew is configured, you do not need to enable this property manually in this case.
The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time, a refresh is going to happen.
Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.
Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the private_key_jwt client authentication method is used, the private key used to sign the client authentication JWT tokens are also used to decrypt the encrypted ID tokens.
Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to true by default for backward-compatibility reasons. It is planned that this default value will be changed to false in an upcoming release. Also note this property is ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.
Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.
Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.
The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.
Environment variable: QUARKUS_OIDC_LOGOUT_PATH
Show more
string
quarkus.oidc.logout.post-logout-path
Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.
The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
Logout token claim whose value is used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.
queryAuthorization response parameters are encoded in the query string added to the redirect_uri, form-postAuthorization response parameters are encoded as HTML form values that are auto-submitted in the browser and transmitted by the HTTP POST method using the application/x-www-form-urlencoded content type
queryAuthorization response parameters are encoded in the query string added to the redirect_uri
quarkus.oidc.authentication.redirect-path
The relative path for calculating a redirect_uri query parameter. It has to start from a forward slash and is appended to the request URI’s host and port. For example, if the current request URI is https://localhost:8080/service, a redirect_uri parameter is set to https://localhost:8080/ if this property is set to / and be the same as the request URI if this property has not been configured. Note the original request URI is restored after the user has authenticated if restorePathAfterRedirect is set to true.
If this property is set to true, the original request URI which was used before the authentication is restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI is restored even if this property is disabled.
Remove the query parameters such as code and state set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.
Relative path to the public endpoint which processes the error response from the OIDC authorization endpoint. If the user authentication has failed, the OIDC provider returns an error and an optional error_description parameters, instead of the expected authorization code. If this property is set, the user is redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and is appended to the request URI’s host and port. For example, if it is set as /error and the current request URI is https://localhost:8080/callback?error=invalid_scope, a redirect is made to https://localhost:8080/error?error=invalid_scope. If this property is not set, HTTP 401 status is returned in case of the user authentication failure.
Relative path to the public endpoint which an authenticated user is redirected to when the session has expired.
When the OIDC session has expired and the session can not be refreshed, a user is redirected to the OIDC provider to re-authenticate. The user experience may not be ideal in this case as it may not be obvious to the authenticated user why an authentication challenge is returned.
Set this property if you would like the user whose session has expired be redirected to a public application specific page instead, which can inform that the session has expired and advise the user to re-authenticated by following a link to the secured initial entry page.
Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow.
ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles.
Authorization code flow access token is meant to be propagated to downstream services and is not verified by default unless quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision is based on the roles extracted from the access token.
Authorization code flow access token verification is also enabled if this token is injected as JsonWebToken. Set this property to false if it is not required.
Force https as the redirect_uri parameter scheme when running behind an SSL/TLS terminating reverse proxy. This property, if enabled, also affects the logout post_logout_redirect_uri and the local redirect requests.
Require that ID token includes a nonce claim which must match nonce authentication request query parameter. Enabling this property can help mitigate replay attacks. Do not enable this property if your OpenId Connect provider does not support setting nonce in ID token or if you work with OAuth2 provider such as GitHub which does not issue ID tokens.
Add the openid scope automatically to the list of scopes. This is required for OpenId Connect providers, but does not work for OAuth2 providers such as Twitter OAuth2, which do not accept this scope and throw errors.
If enabled the state, session, and post logout cookies have their secure parameter set to true when HTTP is used. It might be necessary when running behind an SSL/TLS terminating reverse proxy. The cookies are always secure if HTTPS is used, even if this property is set to false.
Cookie name suffix. For example, a session cookie name for the default OIDC tenant is q_session but can be changed to q_session_test if this property is set to test.
Cookie path parameter value which, if set, is used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, is checked first.
Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value is used to set a path parameter for the session, state and post logout cookies. If the header is missing, the cookie-path property is checked.
If a state cookie is present, a state query parameter must also be present and both the state cookie name suffix and state cookie value must match the value of the state query parameter when the redirect path matches the current path. However, if multiple authentications are attempted from the same browser, for example, from the different browser tabs, then the currently available state cookie might represent the authentication flow initiated from another tab and not related to the current request. Disable this property to permit only a single authorization code flow in the same browser.
Fail with the HTTP 401 error if the state cookie is present but no state query parameter is present.
When either multiple authentications are disabled or the redirect URL matches the original request URL, the stale state cookie might remain in the browser cache from the earlier failed redirect to an OpenId Connect provider and be visible during the current request. For example, if Single-page application (SPA) uses XHR to handle redirects to the provider which does not support CORS for its authorization endpoint, the browser blocks it and the state cookie created by Quarkus remains in the browser cache. Quarkus reports an authentication failure when it detects such an old state cookie but find no matching state query parameter.
Reporting HTTP 401 error is usually the right thing to do in such cases, it minimizes a risk of the browser redirect loop but also can identify problems in the way SPA or Quarkus application manage redirects. For example, enabling java-script-auto-redirect or having the provider redirect to URL configured with redirect-path might be needed to avoid such errors.
However, setting this property to false might help if the above options are not suitable. It causes a new authentication redirect to OpenId Connect provider. Doing so might increase the risk of browser redirect loops.
If this property is set to true, an OIDC UserInfo endpoint is called.
This property is enabled automatically if quarkus.oidc.roles.source is set to userinfo or quarkus.oidc.token.verify-access-token-with-user-info is set to true or quarkus.oidc.authentication.id-token-required is set to false, the current OIDC tenant must support a UserInfo endpoint in these cases.
It is also enabled automatically if io.quarkus.oidc.UserInfo injection point is detected but only if the current OIDC tenant supports a UserInfo endpoint.
true when UserInfo bean is injected, false otherwise
quarkus.oidc.authentication.session-age-extension
Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user is redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a nonzero value, then the expired ID token can be refreshed before the session has expired. This property is ignored if the token.refresh-expired property has not been enabled.
State cookie age in minutes. State cookie is created every time a new authorization code flow redirect starts and removed when this flow is completed. State cookie name is unique by default, see allow-multiple-code-flows. Keep its age to the reasonable minimum value such as 5 minutes or less.
If this property is set to true, a normal 302 redirect response is returned if the request was initiated by a JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated, which might not be desirable for Single-page applications (SPA) since it automatically following the redirect might not work given that OIDC authorization endpoints typically do not support CORS.
If this property is set to false, a status code of 499 is returned to allow SPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found. X-Requested-With request header with its value set to either JavaScript or XMLHttpRequest is expected by default if this property is enabled. You can register a custom JavaScriptRequestChecker to do a custom JavaScript request check instead.
Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken is generated in such cases.
Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.
If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. A client secret is not be used as a state encryption secret if it is less than 32 characters long.
The secret is auto-generated if it remains uninitialized after checking all of these properties.
Error is reported if the secret length is less than 16 characters.
Additional parameters, in addition to the required code and redirect-uri parameters, which must be included to complete the authorization code grant request.
keep-all-tokensKeep ID, access and refresh tokens., id-tokenKeep ID token only, id-refresh-tokensKeep ID and refresh tokens only
keep-all-tokensKeep ID, access and refresh tokens.
quarkus.oidc.token-state-manager.split-tokens
Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size
The secret used by the Default TokenStateManager to encrypt the session cookie storing the tokens when encryption-required property is enabled.
If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these properties. Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication will be required.
The length of the secret used to encrypt the tokens should be at least 32 characters long. A warning is logged if the secret length is less than 16 characters.
a256-gcmkwContent encryption key will be generated and encrypted using the A256GCMKW algorithm and the configured encryption secret. The generated content encryption key will be used to encrypt the session cookie content., dirThe configured key encryption secret will be used as the content encryption key to encrypt the session cookie content. Using the direct encryption avoids a content encryption key generation step and will make the encrypted session cookie sequence slightly shorter. Avoid using the direct encryption if the encryption secret is less than 32 characters long.
a256-gcmkwContent encryption key will be generated and encrypted using the A256GCMKW algorithm and the configured encryption secret. The generated content encryption key will be used to encrypt the session cookie content.
quarkus.oidc.allow-token-introspection-cache
Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.
Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.
Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.
Inlining UserInfo in the generated IdToken is enabled if the session cookie is encrypted and the UserInfo cache is not enabled or caching UserInfo is disabled for the current tenant with the allow-user-info-cache property set to false.
If JWK verification keys should be fetched at the moment a connection to the OIDC provider is initialized.
Disabling this property delays the key acquisition until the moment the current token has to be verified. Typically it can only be necessary if the token or other telated request properties provide an additional context which is required to resolve the keys correctly.
Cache timer interval. If this property is set, a timer checks and removes the stale entries periodically. This property is ignored if the resolve-early property is set to true.
In case there is no key identifier ('kid') or certificate thumbprints ('x5t', 'x5t#S256') specified in the JOSE header and no key could be determined, check all available keys matching the token algorithm ('alg') header value.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. Do not set this property if you use 'quarkus-oidc' and the public key verification (public-key) or certificate chain verification only (certificate-chain) is required. The OIDC discovery endpoint is called by default by appending a .well-known/openid-configuration path to this URL. For Keycloak, use https://host:port/realms/{realm}, replacing {realm} with the Keycloak realm name.
The relative path or absolute URL of the OIDC dynamic client registration endpoint. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to 20S allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the connection-retry-count property instead.
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from connection-delay, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting.
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
The host name or IP address of the Proxy.
Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
The default TLS configuration is not used by default.
The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if application-type is service and no token introspection is required.
The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider’s dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client.
The client secret used by the client_secret_basic authentication method. Must be set unless a secret is set in client-secret or jwt client authentication is required. You can use client-secret.value instead, but both properties are mutually exclusive.
The client secret value. This value is ignored if credentials.secret is set. Must be set unless a secret is set in client-secret or jwt client authentication is required.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
basicclient_secret_basic (default)\: The client id and secret are submitted with the HTTP Authorization Basic scheme., postclient_secret_post\: The client id and secret are submitted as the client_id and client_secret form parameters., post-jwtclient_secret_jwt\: The client id and generated JWT secret are submitted as the client_id and client_secret form parameters., queryclient id and secret are submitted as HTTP query parameters. This option is only supported by the OIDC extension.
quarkus.oidc."tenant".credentials.jwt.source
JWT token source: OIDC provider client or an existing JWT bearer token.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key-file and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.
If this tenant configuration is enabled. The default tenant is disabled if it is not configured but a TenantConfigResolver that resolves tenant configurations is registered, or named tenants are configured. In this case, you do not need to disable the default tenant.
web-appA WEB_APP is a client that serves pages, usually a front-end application. For this type of client the Authorization Code Flow is defined as the preferred method for authenticating users., serviceA SERVICE is a client that has a set of protected HTTP resources, usually a backend application following the RESTful Architectural Design. For this type of client, the Bearer Authorization method is defined as the preferred method for authenticating and authorizing users., hybridA combined SERVICE and WEB_APP client. For this type of client, the Bearer Authorization method is used if the Authorization header is set and Authorization Code Flow - if not.
serviceA {@code SERVICE} is a client that has a set of protected HTTP resources, usually a backend application following the RESTful Architectural Design. For this type of client, the Bearer Authorization method is defined as the preferred method for authenticating and authorizing users.
quarkus.oidc."tenant".authorization-path
The relative path or absolute URL of the OpenID Connect (OIDC) authorization endpoint, which authenticates users. You must set this property for web-app applications if OIDC discovery is disabled. This property is ignored if OIDC discovery is enabled.
The relative path or absolute URL of the OIDC UserInfo endpoint. You must set this property for web-app applications if OIDC discovery is disabled and the authentication.user-info-required property is enabled. This property is ignored if OIDC discovery is enabled.
Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JSON Web Token (JWT) tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens must be verified or 2) JWT tokens must be verified while the cached JWK verification set with no matching JWK is being refreshed. This property is ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC JSON Web Key Set (JWKS) endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property is ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the web-app applications is required. This property is ignored if the discovery is enabled.
The paths which must be secured by this tenant. Tenant with the most specific path wins.
Please see the Configure tenant paths
section of the OIDC multitenancy guide for explanation of allowed path patterns.
A list of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments. Each segment represents a JSON object name only; for example: "realm/groups". Use double quotes with the namespace-qualified claim names. This property can be used if a token has no groups claim but has the groups set in one or more different claims.
The separator for splitting strings that contain multiple group values. It is only used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space is used by default because the standard scope claim can contain a space-separated sequence.
idtokenID Token - the default value for the web-app applications., accesstokenAccess Token - the default value for the service applications; can also be used as the source of roles for the web-app applications., userinfoUser Info
quarkus.oidc."tenant".token.issuer
The expected issuer iss claim value. This property overrides the issuer property, which might be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host, IP address, or tenant id of the provider, you can skip the issuer verification by setting this property to any, but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.
The expected audience aud claim value, which can be a string or an array of strings. Note the audience claim is verified for ID tokens by default. ID token audience must be equal to the value of quarkus.oidc.client-id property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to any if your provider does not set ID token audience` claim. Audience verification for access tokens is only done if this property is configured.
Require that the token includes a sub (subject) claim which is a unique and never reassigned identifier for the current user. Note that if you enable this property and if UserInfo is also required, both the token and UserInfo sub claims must be present and match each other.
A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.
Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.
Token age. It allows for the number of seconds to be specified that must not elapse since the iat (issued at) time. A small leeway to account for clock skew which can be configured with quarkus.oidc.token.lifespan-grace to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid (exp) expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an exp claim. However, even if the current logout token is allowed to have no exp claim, the exp claim is still verified if the logout token contains it.
Require that the token includes a iat (issued at) claim Set this property to false if your JWT token does not contain an iat (issued at) claim. Note that ID token is always required to have an iat claim and therefore this property has no impact on the ID token verification process.
Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a nonzero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}. This property is enabled if quarkus.oidc.token.refresh-token-time-skew is configured, you do not need to enable this property manually in this case.
The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time, a refresh is going to happen.
Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.
Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the private_key_jwt client authentication method is used, the private key used to sign the client authentication JWT tokens are also used to decrypt the encrypted ID tokens.
Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to true by default for backward-compatibility reasons. It is planned that this default value will be changed to false in an upcoming release. Also note this property is ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.
Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.
Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.
The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.
Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.
The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
Logout token claim whose value is used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.
queryAuthorization response parameters are encoded in the query string added to the redirect_uri, form-postAuthorization response parameters are encoded as HTML form values that are auto-submitted in the browser and transmitted by the HTTP POST method using the application/x-www-form-urlencoded content type
queryAuthorization response parameters are encoded in the query string added to the redirect_uri
The relative path for calculating a redirect_uri query parameter. It has to start from a forward slash and is appended to the request URI’s host and port. For example, if the current request URI is https://localhost:8080/service, a redirect_uri parameter is set to https://localhost:8080/ if this property is set to / and be the same as the request URI if this property has not been configured. Note the original request URI is restored after the user has authenticated if restorePathAfterRedirect is set to true.
If this property is set to true, the original request URI which was used before the authentication is restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI is restored even if this property is disabled.
Remove the query parameters such as code and state set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.
Relative path to the public endpoint which processes the error response from the OIDC authorization endpoint. If the user authentication has failed, the OIDC provider returns an error and an optional error_description parameters, instead of the expected authorization code. If this property is set, the user is redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and is appended to the request URI’s host and port. For example, if it is set as /error and the current request URI is https://localhost:8080/callback?error=invalid_scope, a redirect is made to https://localhost:8080/error?error=invalid_scope. If this property is not set, HTTP 401 status is returned in case of the user authentication failure.
Relative path to the public endpoint which an authenticated user is redirected to when the session has expired.
When the OIDC session has expired and the session can not be refreshed, a user is redirected to the OIDC provider to re-authenticate. The user experience may not be ideal in this case as it may not be obvious to the authenticated user why an authentication challenge is returned.
Set this property if you would like the user whose session has expired be redirected to a public application specific page instead, which can inform that the session has expired and advise the user to re-authenticated by following a link to the secured initial entry page.
Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow.
ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles.
Authorization code flow access token is meant to be propagated to downstream services and is not verified by default unless quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision is based on the roles extracted from the access token.
Authorization code flow access token verification is also enabled if this token is injected as JsonWebToken. Set this property to false if it is not required.
Force https as the redirect_uri parameter scheme when running behind an SSL/TLS terminating reverse proxy. This property, if enabled, also affects the logout post_logout_redirect_uri and the local redirect requests.
Require that ID token includes a nonce claim which must match nonce authentication request query parameter. Enabling this property can help mitigate replay attacks. Do not enable this property if your OpenId Connect provider does not support setting nonce in ID token or if you work with OAuth2 provider such as GitHub which does not issue ID tokens.
Add the openid scope automatically to the list of scopes. This is required for OpenId Connect providers, but does not work for OAuth2 providers such as Twitter OAuth2, which do not accept this scope and throw errors.
If enabled the state, session, and post logout cookies have their secure parameter set to true when HTTP is used. It might be necessary when running behind an SSL/TLS terminating reverse proxy. The cookies are always secure if HTTPS is used, even if this property is set to false.
Cookie name suffix. For example, a session cookie name for the default OIDC tenant is q_session but can be changed to q_session_test if this property is set to test.
Cookie path parameter value which, if set, is used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, is checked first.
Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value is used to set a path parameter for the session, state and post logout cookies. If the header is missing, the cookie-path property is checked.
If a state cookie is present, a state query parameter must also be present and both the state cookie name suffix and state cookie value must match the value of the state query parameter when the redirect path matches the current path. However, if multiple authentications are attempted from the same browser, for example, from the different browser tabs, then the currently available state cookie might represent the authentication flow initiated from another tab and not related to the current request. Disable this property to permit only a single authorization code flow in the same browser.
Fail with the HTTP 401 error if the state cookie is present but no state query parameter is present.
When either multiple authentications are disabled or the redirect URL matches the original request URL, the stale state cookie might remain in the browser cache from the earlier failed redirect to an OpenId Connect provider and be visible during the current request. For example, if Single-page application (SPA) uses XHR to handle redirects to the provider which does not support CORS for its authorization endpoint, the browser blocks it and the state cookie created by Quarkus remains in the browser cache. Quarkus reports an authentication failure when it detects such an old state cookie but find no matching state query parameter.
Reporting HTTP 401 error is usually the right thing to do in such cases, it minimizes a risk of the browser redirect loop but also can identify problems in the way SPA or Quarkus application manage redirects. For example, enabling java-script-auto-redirect or having the provider redirect to URL configured with redirect-path might be needed to avoid such errors.
However, setting this property to false might help if the above options are not suitable. It causes a new authentication redirect to OpenId Connect provider. Doing so might increase the risk of browser redirect loops.
If this property is set to true, an OIDC UserInfo endpoint is called.
This property is enabled automatically if quarkus.oidc.roles.source is set to userinfo or quarkus.oidc.token.verify-access-token-with-user-info is set to true or quarkus.oidc.authentication.id-token-required is set to false, the current OIDC tenant must support a UserInfo endpoint in these cases.
It is also enabled automatically if io.quarkus.oidc.UserInfo injection point is detected but only if the current OIDC tenant supports a UserInfo endpoint.
Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user is redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a nonzero value, then the expired ID token can be refreshed before the session has expired. This property is ignored if the token.refresh-expired property has not been enabled.
State cookie age in minutes. State cookie is created every time a new authorization code flow redirect starts and removed when this flow is completed. State cookie name is unique by default, see allow-multiple-code-flows. Keep its age to the reasonable minimum value such as 5 minutes or less.
If this property is set to true, a normal 302 redirect response is returned if the request was initiated by a JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated, which might not be desirable for Single-page applications (SPA) since it automatically following the redirect might not work given that OIDC authorization endpoints typically do not support CORS.
If this property is set to false, a status code of 499 is returned to allow SPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found. X-Requested-With request header with its value set to either JavaScript or XMLHttpRequest is expected by default if this property is enabled. You can register a custom JavaScriptRequestChecker to do a custom JavaScript request check instead.
Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken is generated in such cases.
Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.
If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. A client secret is not be used as a state encryption secret if it is less than 32 characters long.
The secret is auto-generated if it remains uninitialized after checking all of these properties.
Error is reported if the secret length is less than 16 characters.
Additional parameters, in addition to the required code and redirect-uri parameters, which must be included to complete the authorization code grant request.
Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size
The secret used by the Default TokenStateManager to encrypt the session cookie storing the tokens when encryption-required property is enabled.
If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these properties. Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication will be required.
The length of the secret used to encrypt the tokens should be at least 32 characters long. A warning is logged if the secret length is less than 16 characters.
a256-gcmkwContent encryption key will be generated and encrypted using the A256GCMKW algorithm and the configured encryption secret. The generated content encryption key will be used to encrypt the session cookie content., dirThe configured key encryption secret will be used as the content encryption key to encrypt the session cookie content. Using the direct encryption avoids a content encryption key generation step and will make the encrypted session cookie sequence slightly shorter. Avoid using the direct encryption if the encryption secret is less than 32 characters long.
a256-gcmkwContent encryption key will be generated and encrypted using the A256GCMKW algorithm and the configured encryption secret. The generated content encryption key will be used to encrypt the session cookie content.
Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.
Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.
Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.
Inlining UserInfo in the generated IdToken is enabled if the session cookie is encrypted and the UserInfo cache is not enabled or caching UserInfo is disabled for the current tenant with the allow-user-info-cache property set to false.
If JWK verification keys should be fetched at the moment a connection to the OIDC provider is initialized.
Disabling this property delays the key acquisition until the moment the current token has to be verified. Typically it can only be necessary if the token or other telated request properties provide an additional context which is required to resolve the keys correctly.
Cache timer interval. If this property is set, a timer checks and removes the stale entries periodically. This property is ignored if the resolve-early property is set to true.
In case there is no key identifier ('kid') or certificate thumbprints ('x5t', 'x5t#S256') specified in the JOSE header and no key could be determined, check all available keys matching the token algorithm ('alg') header value.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. Do not set this property if you use 'quarkus-oidc' and the public key verification (public-key) or certificate chain verification only (certificate-chain) is required. The OIDC discovery endpoint is called by default by appending a .well-known/openid-configuration path to this URL. For Keycloak, use https://host:port/realms/{realm}, replacing {realm} with the Keycloak realm name.
The relative path or absolute URL of the OIDC dynamic client registration endpoint. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to 20S allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the connection-retry-count property instead.
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from connection-delay, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting.
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
The host name or IP address of the Proxy.
Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
The default TLS configuration is not used by default.
The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if application-type is service and no token introspection is required.
The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider’s dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client.
The client secret used by the client_secret_basic authentication method. Must be set unless a secret is set in client-secret or jwt client authentication is required. You can use client-secret.value instead, but both properties are mutually exclusive.
The client secret value. This value is ignored if credentials.secret is set. Must be set unless a secret is set in client-secret or jwt client authentication is required.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
basicclient_secret_basic (default)\: The client id and secret are submitted with the HTTP Authorization Basic scheme., postclient_secret_post\: The client id and secret are submitted as the client_id and client_secret form parameters., post-jwtclient_secret_jwt\: The client id and generated JWT secret are submitted as the client_id and client_secret form parameters., queryclient id and secret are submitted as HTTP query parameters. This option is only supported by the OIDC extension.
quarkus.oidc-client.credentials.jwt.source
JWT token source: OIDC provider client or an existing JWT bearer token.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key-file and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.
Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking whether the access token should be refreshed. If the sum is greater than this access token’s expiration time then a refresh is going to happen.
client'client_credentials' grant requiring an OIDC client authentication only, password'password' grant requiring both OIDC client and user ('username' and 'password') authentications, code'authorization_code' grant requiring an OIDC client authentication as well as at least 'code' and 'redirect_uri' parameters which must be passed to OidcClient at the token request time., exchange'urn\:ietf\:params\:oauth\:grant-type\:token-exchange' grant requiring an OIDC client authentication as well as at least 'subject_token' parameter which must be passed to OidcClient at the token request time., jwt'urn\:ietf\:params\:oauth\:grant-type\:jwt-bearer' grant requiring an OIDC client authentication as well as at least an 'assertion' parameter which must be passed to OidcClient at the token request time., refresh'refresh_token' grant requiring an OIDC client authentication and a refresh token. Note, OidcClient supports this grant by default if an access token acquisition response contained a refresh token. However, in some cases, the refresh token is provided out of band, for example, it can be shared between several of the confidential client’s services, etc. If 'quarkus.oidc-client.grant-type' is set to 'refresh' then OidcClient will only support refreshing the tokens., ciba'urn\:openid\:params\:grant-type\:ciba' grant requiring an OIDC client authentication as well as 'auth_req_id' parameter which must be passed to OidcClient at the token request time., device'urn\:ietf\:params\:oauth\:grant-type\:device_code' grant requiring an OIDC client authentication as well as 'device_code' parameter which must be passed to OidcClient at the token request time.
client'client_credentials' grant requiring an OIDC client authentication only
quarkus.oidc-client.grant.access-token-property
Access token property name in a token grant response
Requires that all filters which use 'OidcClient' acquire the tokens at the post-construct initialization time, possibly long before these tokens are used. This property should be disabled if the access token may expire before it is used for the first time and no refresh token is available.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. Do not set this property if you use 'quarkus-oidc' and the public key verification (public-key) or certificate chain verification only (certificate-chain) is required. The OIDC discovery endpoint is called by default by appending a .well-known/openid-configuration path to this URL. For Keycloak, use https://host:port/realms/{realm}, replacing {realm} with the Keycloak realm name.
The relative path or absolute URL of the OIDC dynamic client registration endpoint. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to 20S allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the connection-retry-count property instead.
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from connection-delay, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting.
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
The host name or IP address of the Proxy.
Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
The default TLS configuration is not used by default.
The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if application-type is service and no token introspection is required.
The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider’s dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client.
The client secret used by the client_secret_basic authentication method. Must be set unless a secret is set in client-secret or jwt client authentication is required. You can use client-secret.value instead, but both properties are mutually exclusive.
The client secret value. This value is ignored if credentials.secret is set. Must be set unless a secret is set in client-secret or jwt client authentication is required.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
basicclient_secret_basic (default)\: The client id and secret are submitted with the HTTP Authorization Basic scheme., postclient_secret_post\: The client id and secret are submitted as the client_id and client_secret form parameters., post-jwtclient_secret_jwt\: The client id and generated JWT secret are submitted as the client_id and client_secret form parameters., queryclient id and secret are submitted as HTTP query parameters. This option is only supported by the OIDC extension.
quarkus.oidc-client."id".credentials.jwt.source
JWT token source: OIDC provider client or an existing JWT bearer token.
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key-file and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.
If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.
Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking whether the access token should be refreshed. If the sum is greater than this access token’s expiration time then a refresh is going to happen.
client'client_credentials' grant requiring an OIDC client authentication only, password'password' grant requiring both OIDC client and user ('username' and 'password') authentications, code'authorization_code' grant requiring an OIDC client authentication as well as at least 'code' and 'redirect_uri' parameters which must be passed to OidcClient at the token request time., exchange'urn\:ietf\:params\:oauth\:grant-type\:token-exchange' grant requiring an OIDC client authentication as well as at least 'subject_token' parameter which must be passed to OidcClient at the token request time., jwt'urn\:ietf\:params\:oauth\:grant-type\:jwt-bearer' grant requiring an OIDC client authentication as well as at least an 'assertion' parameter which must be passed to OidcClient at the token request time., refresh'refresh_token' grant requiring an OIDC client authentication and a refresh token. Note, OidcClient supports this grant by default if an access token acquisition response contained a refresh token. However, in some cases, the refresh token is provided out of band, for example, it can be shared between several of the confidential client’s services, etc. If 'quarkus.oidc-client.grant-type' is set to 'refresh' then OidcClient will only support refreshing the tokens., ciba'urn\:openid\:params\:grant-type\:ciba' grant requiring an OIDC client authentication as well as 'auth_req_id' parameter which must be passed to OidcClient at the token request time., device'urn\:ietf\:params\:oauth\:grant-type\:device_code' grant requiring an OIDC client authentication as well as 'device_code' parameter which must be passed to OidcClient at the token request time.
client'client_credentials' grant requiring an OIDC client authentication only
Requires that all filters which use 'OidcClient' acquire the tokens at the post-construct initialization time, possibly long before these tokens are used. This property should be disabled if the access token may expire before it is used for the first time and no refresh token is available.
OpenID Connect Client integration for GraphQL client
Type
Default
quarkus.oidc-client-graphql.client-name
Name of the configured OidcClient used by GraphQL clients. You can override this configuration for typesafe clients with the io.quarkus.oidc.client.filter.OidcClientFilter annotation.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. Do not set this property if you use 'quarkus-oidc' and the public key verification (public-key) or certificate chain verification only (certificate-chain) is required. The OIDC discovery endpoint is called by default by appending a .well-known/openid-configuration path to this URL. For Keycloak, use https://host:port/realms/{realm}, replacing {realm} with the Keycloak realm name.
The relative path or absolute URL of the OIDC dynamic client registration endpoint. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to 20S allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the connection-retry-count property instead.
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from connection-delay, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting.
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
The host name or IP address of the Proxy.
Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
The default TLS configuration is not used by default.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. Do not set this property if you use 'quarkus-oidc' and the public key verification (public-key) or certificate chain verification only (certificate-chain) is required. The OIDC discovery endpoint is called by default by appending a .well-known/openid-configuration path to this URL. For Keycloak, use https://host:port/realms/{realm}, replacing {realm} with the Keycloak realm name.
The relative path or absolute URL of the OIDC dynamic client registration endpoint. Set if discovery-enabled is false or a discovered token endpoint path must be customized.
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to 20S allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the connection-retry-count property instead.
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from connection-delay, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting.
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
The host name or IP address of the Proxy.
Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
The default TLS configuration is not used by default.
If false, disable the OpenTelemetry usage at build time. All other Otel properties will be ignored at runtime.
Will pick up value from legacy property quarkus.opentelemetry.enabled
Defaults to true.
Environment variable: QUARKUS_OTEL_ENABLED
Show more
boolean
true
quarkus.otel.traces.exporter
List of exporters supported by Quarkus.
List of exporters to be used for tracing, separated by commas. Has one of the values on ExporterTypeotlp, cdi, none or the full qualified name of a class implementing io.opentelemetry.sdk.trace.export.SpanExporter
Default on Quarkus is ExporterType.Constants#CDI_VALUE.
Has one of the values on SamplerTypealways_on, always_off, traceidratio, parentbased_always_on, parentbased_always_off, parentbased_traceidratio or the Sampler SPI name. This will use the OTel SPI hooks for the io.opentelemetry.sdk.trace.samplers.Sampler implementation set in the provider: io.opentelemetry.sdk.autoconfigure.spi.traces.ConfigurableSamplerProvider.
Fallbacks to the legacy property quarkus.opentelemetry.tracer.sampler.sampler.name or defaults to SamplerType.Constants#PARENT_BASED_ALWAYS_ON.
Environment variable: QUARKUS_OTEL_TRACES_SAMPLER
Show more
string
parentbased_always_on
quarkus.otel.traces.eusp.enabled
If OpenTelemetry End User attributes should be added as Span attributes on a best-efforts basis.
This is a Quarkus specific property. Include static resources is disabled by default. Providing a custom io.opentelemetry.sdk.trace.samplers.Sampler CDI Bean will ignore this setting.
Fallbacks to the legacy property quarkus.opentelemetry.tracer.include-static-resources or defaults to false.
Sampler argument. Depends on the quarkus.otel.traces.sampler property. Fallbacks to the legacy property quarkus.opentelemetry.tracer.sampler.ratio.
When setting the stock sampler to traceidratio or parentbased_traceidratio you need to set a double compatible value between 0.0d and 1.0d, like 0.01d or 0.5d. It is kept as a String to allow the flexible customisation of alternative samplers.
Sets the OTLP endpoint to send telemetry data. If unset, defaults to OtlpExporterRuntimeConfig#DEFAULT_GRPC_BASE_URI.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..endpoint where is one of the supported signal types, like traces or metrics.
If protocol is http/protobuf the version and signal will be appended to the path (e.g. v1/traces or v1/metrics) and the default port will be OtlpExporterRuntimeConfig#DEFAULT_HTTP_BASE_URI.
Key-value pairs to be used as headers associated with exporter requests. The format is similar to the OTEL_EXPORTER_OTLP_HEADERS environment variable, a list of key-value pairs separated by the "=" character. i.e.: key1=value1,key2=value2
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..headers where is one of the supported signal types, like traces or metrics.
Sets the method used to compress payloads. If unset, compression is disabled. Currently supported compression methods include gzip and none.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..compression where is one of the supported signal types, like traces or metrics.
Sets the maximum time to wait for the collector to process an exported batch of telemetry data. If unset, defaults to `OtlpExporterRuntimeConfig#DEFAULT_TIMEOUT_SECS`s.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..timeout where is one of the supported signal types, like traces or metrics.
OTLP defines the encoding of telemetry data and the protocol used to exchange data between the client and the server. Depending on the exporter, the available protocols will be different.
Currently, only grpc and http/protobuf are allowed.
Please mind that changing the protocol requires changing the port in the endpoint as well.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..protocol where is one of the supported signal types, like traces or metrics.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..tls-configuration-name where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.enabled where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.username where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.password where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.port where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.host where is one of the supported signal types, like traces or metrics.
Sets the OTLP endpoint to send telemetry data. If unset, defaults to OtlpExporterRuntimeConfig#DEFAULT_GRPC_BASE_URI.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..endpoint where is one of the supported signal types, like traces or metrics.
If protocol is http/protobuf the version and signal will be appended to the path (e.g. v1/traces or v1/metrics) and the default port will be OtlpExporterRuntimeConfig#DEFAULT_HTTP_BASE_URI.
Key-value pairs to be used as headers associated with exporter requests. The format is similar to the OTEL_EXPORTER_OTLP_HEADERS environment variable, a list of key-value pairs separated by the "=" character. i.e.: key1=value1,key2=value2
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..headers where is one of the supported signal types, like traces or metrics.
Sets the method used to compress payloads. If unset, compression is disabled. Currently supported compression methods include gzip and none.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..compression where is one of the supported signal types, like traces or metrics.
Sets the maximum time to wait for the collector to process an exported batch of telemetry data. If unset, defaults to `OtlpExporterRuntimeConfig#DEFAULT_TIMEOUT_SECS`s.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..timeout where is one of the supported signal types, like traces or metrics.
OTLP defines the encoding of telemetry data and the protocol used to exchange data between the client and the server. Depending on the exporter, the available protocols will be different.
Currently, only grpc and http/protobuf are allowed.
Please mind that changing the protocol requires changing the port in the endpoint as well.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..protocol where is one of the supported signal types, like traces or metrics.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..tls-configuration-name where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.enabled where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.username where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.password where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.port where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.host where is one of the supported signal types, like traces or metrics.
Sets the OTLP endpoint to send telemetry data. If unset, defaults to OtlpExporterRuntimeConfig#DEFAULT_GRPC_BASE_URI.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..endpoint where is one of the supported signal types, like traces or metrics.
If protocol is http/protobuf the version and signal will be appended to the path (e.g. v1/traces or v1/metrics) and the default port will be OtlpExporterRuntimeConfig#DEFAULT_HTTP_BASE_URI.
Key-value pairs to be used as headers associated with exporter requests. The format is similar to the OTEL_EXPORTER_OTLP_HEADERS environment variable, a list of key-value pairs separated by the "=" character. i.e.: key1=value1,key2=value2
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..headers where is one of the supported signal types, like traces or metrics.
Sets the method used to compress payloads. If unset, compression is disabled. Currently supported compression methods include gzip and none.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..compression where is one of the supported signal types, like traces or metrics.
Sets the maximum time to wait for the collector to process an exported batch of telemetry data. If unset, defaults to `OtlpExporterRuntimeConfig#DEFAULT_TIMEOUT_SECS`s.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..timeout where is one of the supported signal types, like traces or metrics.
OTLP defines the encoding of telemetry data and the protocol used to exchange data between the client and the server. Depending on the exporter, the available protocols will be different.
Currently, only grpc and http/protobuf are allowed.
Please mind that changing the protocol requires changing the port in the endpoint as well.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..protocol where is one of the supported signal types, like traces or metrics.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..tls-configuration-name where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.enabled where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.username where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.password where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.port where is one of the supported signal types, like traces or metrics.
There is a generic property, that will apply to all signals and a signal specific one, following the pattern: quarkus.otel.exporter.otlp..proxy-options.host where is one of the supported signal types, like traces or metrics.
The preferred output aggregation temporality. Options include DELTA, LOWMEMORY, and CUMULATIVE.
If CUMULATIVE, all instruments will have cumulative temporality. If DELTA, counter (sync and async) and histograms will be delta, up down counters (sync and async) will be cumulative. If LOWMEMORY, sync counter and histograms will be delta, async counter and up down counters (sync and async) will be cumulative.
Set this to false to use the picocli-codegen annotation processor instead of build steps.
this will have serious build-time performance impact since this is run on every restart in dev mode, use with care!
This property is intended to be used only in cases where an incompatible change in the picocli library causes problems in the build steps used to support GraalVM Native images.
In such cases this property allows users to make the trade-off between fast build cycles with the older version of picocli, and temporarily accept slower build cycles with the latest version of picocli until the updated extension is available.
Name of bean annotated with io.quarkus.picocli.runtime.annotations.TopCommand or FQCN of class which will be used as entry point for Picocli CommandLine instance. This class needs to be annotated with picocli.CommandLine.Command.
Environment variable: QUARKUS_PICOCLI_TOP_COMMAND
Show more
string
Quarkus - Vert.x GraphQL
Type
Default
quarkus.vertx-graphql.ui.always-include
If GraphQL UI should be included every time. By default, this is only included when the application is running in dev mode.
The label to be used to pull remote configuration properties. The default is set on the Spring Cloud Config Server (generally "master" when the server uses a Git backend).
Password to recover key from KeyStore for SSL client authentication with the Config server If no value is provided, the key-store-password will be used
When using StoreType#JDBC_CMT or StoreType#JDBC_TX configuration values make sure that you have the datasource configured. See Configuring your datasource for more information.
To create Quartz tables, you can perform a schema migration via the Flyway extension using a SQL script matching your database picked from Quartz repository.
Environment variable: QUARKUS_QUARTZ_STORE_TYPE
Show more
ram, jdbc-tx, jdbc-cmt
ram
quarkus.quartz.datasource
The name of the datasource to use.
Ignored if using a ram store i.e StoreType#RAM.
Optionally needed when using the jdbc-tx or jdbc-cmt store types. If not specified, defaults to using the default datasource.
Environment variable: QUARKUS_QUARTZ_DATASOURCE
Show more
string
quarkus.quartz.table-prefix
The prefix for quartz job store tables.
Ignored if using a ram store i.e StoreType#RAM
Environment variable: QUARKUS_QUARTZ_TABLE_PREFIX
Show more
string
QRTZ_
quarkus.quartz.select-with-lock-sql
The SQL string that selects a row in the "LOCKS" table and places a lock on the row.
Ignored if using a ram store i.e StoreType#RAM.
If not set, the default value of Quartz applies, for which the "{0}" is replaced during run-time with the table-prefix, the "{1}" with the instance-name.
An example SQL string SELECT * FROM {0}LOCKS WHERE SCHED_NAME = {1} AND LOCK_NAME = ? FOR UPDATE
Instructs JDBCJobStore to serialize JobDataMaps in the BLOB column.
Ignored if using a ram store i.e StoreType#RAM.
If this is set to true, the JDBCJobStore will store the JobDataMaps in their serialize form in the BLOB Column. This is useful when you want to store complex JobData objects other than String. This is equivalent of setting org.quartz.jobStore.useProperties to false. NOTE: When this option is set to true, all the non-String classes used in JobDataMaps have to be registered for serialization when building a native image
If this is set to false (the default), the values can be stored as name-value pairs rather than storing more complex objects in their serialized form in the BLOB column. This can be handy, as you avoid the class versioning issues that can arise from serializing your non-String classes into a BLOB. This is equivalent of setting org.quartz.jobStore.useProperties to true.
The identifier of Quartz instance that must be unique for all schedulers working as if they are the same logical Scheduler within a cluster. Use the default value AUTO or some of the configured instance ID generators if you wish the identifier to be generated for you.
The maximum amount of time Quarkus will wait for currently running jobs to finish. If the value is 0, then Quarkus will not wait at all for these jobs to finish - it will call org.quartz.Scheduler.shutdown(false) in this case.
When set to true, blocking scheduled methods are invoked on a thread managed by Quartz instead of a thread from the regular Quarkus thread pool (default).
When this option is enabled, blocking scheduled methods do not run on a duplicated context.
The list of suffixes used when attempting to locate a template file.
By default, engine.getTemplate("foo") would result in several lookups: foo, foo.html, foo.txt, etc.
Environment variable: QUARKUS_QUTE_SUFFIXES
Show more
list of string
qute.html,qute.txt,html,txt
quarkus.qute.content-types."file-suffix"
The additional map of suffixes to content types. This map is used when working with template variants. By default, the java.net.URLConnection#getFileNameMap() is used to determine the content type of a template file.
The list of exclude rules used to intentionally ignore some parts of an expression when performing type-safe validation.
An element value must have at least two parts separated by dot. The last part is used to match the property/method name. The prepended parts are used to match the class name. The value * can be used to match any name.
Examples:
org.acme.Foo.name - exclude the property/method name on the org.acme.Foo class
org.acme.Foo.* - exclude any property/method on the org.acme.Foo class
*.age - exclude the property/method age on any class
This regular expression is used to exclude template files from the templates directory. Excluded templates are neither parsed nor validated during build and are not available at runtime.
The matched input is the file path relative from the templates directory and the / is used as a path separator.
By default, the hidden files are excluded. The name of a hidden file starts with a dot.
By default, a template modification results in an application restart that triggers build-time validations.
This regular expression can be used to specify the templates for which the application is not restarted. I.e. the templates are reloaded and only runtime validations are performed.
The matched input is the template path that starts with a template root, and the / is used as a path separator. For example, templates/foo.html.
The strategy used when a standalone expression evaluates to a "not found" value at runtime and the quarkus.qute.strict-rendering config property is set to false
This strategy is never used when evaluating section parameters, e.g. {#if foo.name}. In such case, it’s the responsibility of the section to handle this situation appropriately.
By default, the NOT_FOUND constant is written to the output. However, in the development mode the PropertyNotFoundStrategy#THROW_EXCEPTION is used by default, i.e. when the strategy is not specified.
defaultOutput the NOT_FOUND constant., noopNo operation - no output., throw-exceptionThrow a TemplateException., output-originalOutput the original expression string, e.g. {foo.name}.
quarkus.qute.remove-standalone-lines
Specify whether the parser should remove standalone lines from the output. A standalone line is a line that contains at least one section tag, parameter declaration, or comment but no expression and no non-whitespace character.
If set to true then any expression that is evaluated to a Results.NotFound value will always result in a TemplateException and the rendering is aborted.
Note that the quarkus.qute.property-not-found-strategy config property is completely ignored if strict rendering is enabled.
The global rendering timeout in milliseconds. It is used if no timeout template instance attribute is set.
Environment variable: QUARKUS_QUTE_TIMEOUT
Show more
long
10000
quarkus.qute.use-async-timeout
If set to true then the timeout should also be used for asynchronous rendering methods, such as TemplateInstance#createUni() and TemplateInstance#renderAsync().
If multiple values are set, this datasource will create a pool with a list of servers instead of a single server. The pool uses round-robin load balancing for server selection during connection establishment. Note that certain drivers might not accommodate multiple values in this context.
When a new connection object is created, the pool assigns it an event loop.
When #event-loop-size is set to a strictly positive value, the pool assigns as many event loops as specified, in a round-robin fashion. By default, the number of event loops configured or calculated by Quarkus is used. If #event-loop-size is set to zero or a negative value, the pool assigns the current event loop to the new connection.
The hostname verification algorithm to use in case the server’s identity should be checked. Should be HTTPS, LDAPS or NONE. NONE is the default value and disables the verification.
Set to true to share the pool among datasources. There can be multiple shared pools distinguished by name, when no specific name is set, the __vertx.DEFAULT name is used.
If multiple values are set, this datasource will create a pool with a list of servers instead of a single server. The pool uses round-robin load balancing for server selection during connection establishment. Note that certain drivers might not accommodate multiple values in this context.
When a new connection object is created, the pool assigns it an event loop.
When #event-loop-size is set to a strictly positive value, the pool assigns as many event loops as specified, in a round-robin fashion. By default, the number of event loops configured or calculated by Quarkus is used. If #event-loop-size is set to zero or a negative value, the pool assigns the current event loop to the new connection.
The hostname verification algorithm to use in case the server’s identity should be checked. Should be HTTPS, LDAPS or NONE. NONE is the default value and disables the verification.
Set to true to share the pool among datasources. There can be multiple shared pools distinguished by name, when no specific name is set, the __vertx.DEFAULT name is used.
Level 7 proxies can load balance queries on several connections to the actual database. When it happens, the client can be confused by the lack of session affinity and unwanted errors can happen like ERROR: unnamed prepared statement does not exist (26000). See Using a level 7 proxy
Specifies that each entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s creation, or the most recent replacement of its value.
Specifies that each entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s creation, or the most recent replacement of its value.
The redis hosts to use while connecting to the redis server. Only the cluster and sentinel modes will consider more than 1 element.
The URI provided uses the following schema redis://[username:password@][host][:port][/database] Use quarkus.redis.hosts-provider-name to provide the hosts programmatically.
It is the @Named value of the hosts provider bean. It is used to discriminate if multiple io.quarkus.redis.client.RedisHostsProvider beans are available.
The role name (only considered in Sentinel / HA mode). Accepted values are: MASTER, REPLICA, SENTINEL.
Environment variable: QUARKUS_REDIS_ROLE
Show more
master, replica, sentinel
master
quarkus.redis.replicas
Whether to use replicas nodes (only considered in Cluster mode). Accepted values are: ALWAYS, NEVER, SHARE.
Environment variable: QUARKUS_REDIS_REPLICAS
Show more
never, share, always
never
quarkus.redis.password
The default password for cluster/sentinel connections.
If not set it will try to extract the value from the current default #hosts.
Environment variable: QUARKUS_REDIS_PASSWORD
Show more
string
quarkus.redis.max-pool-size
The maximum size of the connection pool. When working with cluster or sentinel, this value should be at least the total number of cluster members (or number of sentinels + 1)
Environment variable: QUARKUS_REDIS_MAX_POOL_SIZE
Show more
int
6
quarkus.redis.max-pool-waiting
The maximum waiting requests for a connection from the pool.
Sets how many handlers is the client willing to queue.
The client will always work on pipeline mode, this means that messages can start queueing. Using this configuration option, you can control how much backlog you’re willing to accept.
The preferred protocol version to be used during protocol negotiation. When not set, defaults to RESP 3. When protocol negotiation is disabled, this setting has no effect.
The TTL of the hash slot cache. A hash slot cache is used by the clustered Redis client to prevent constantly sending CLUSTER SLOTS commands to the first statically configured cluster node.
This setting is only meaningful in case of a clustered Redis client and has no effect otherwise.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration name is set then, quarkus.redis.$client-name.tls will be used.
The default TLS configuration is not used by default.
The redis hosts to use while connecting to the redis server. Only the cluster and sentinel modes will consider more than 1 element.
The URI provided uses the following schema redis://[username:password@][host][:port][/database] Use quarkus.redis.hosts-provider-name to provide the hosts programmatically.
It is the @Named value of the hosts provider bean. It is used to discriminate if multiple io.quarkus.redis.client.RedisHostsProvider beans are available.
The maximum size of the connection pool. When working with cluster or sentinel, this value should be at least the total number of cluster members (or number of sentinels + 1)
Sets how many handlers is the client willing to queue.
The client will always work on pipeline mode, this means that messages can start queueing. Using this configuration option, you can control how much backlog you’re willing to accept.
The preferred protocol version to be used during protocol negotiation. When not set, defaults to RESP 3. When protocol negotiation is disabled, this setting has no effect.
The TTL of the hash slot cache. A hash slot cache is used by the clustered Redis client to prevent constantly sending CLUSTER SLOTS commands to the first statically configured cluster node.
This setting is only meaningful in case of a clustered Redis client and has no effect otherwise.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration name is set then, quarkus.redis.$client-name.tls will be used.
The default TLS configuration is not used by default.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
The container image name to use, for container based DevServices providers. If you want to use Redis Stack modules (bloom, graph, search…), use: redis/redis-stack:latest.
Indicates if the Redis server managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Redis starts a new container.
The discovery uses the quarkus-dev-service-redis label. The value is configured using the service-name property.
The value of the quarkus-dev-service-redis label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Redis looks for a container with the quarkus-dev-service-redis label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-redis label set to the specified value.
This property is used when you need multiple shared Redis servers.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
The container image name to use, for container based DevServices providers. If you want to use Redis Stack modules (bloom, graph, search…), use: redis/redis-stack:latest.
Indicates if the Redis server managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Redis starts a new container.
The discovery uses the quarkus-dev-service-redis label. The value is configured using the service-name property.
The value of the quarkus-dev-service-redis label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Redis looks for a container with the quarkus-dev-service-redis label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-redis label set to the specified value.
This property is used when you need multiple shared Redis servers.
Set the local interface to bind for network connections. When the local address is null, it will pick any local address, the default local address is null.
Set the local interface to bind for network connections. When the local address is null, it will pick any local address, the default local address is null.
If enabled the CSRF cookie will have its 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookie will always be secure if HTTPS is used even if this property is set to false.
Create CSRF token only if the HTTP GET relative request path matches one of the paths configured with this property. Use a comma to separate multiple path values.
Verify CSRF token in the CSRF filter. If you prefer then you can disable this property and compare CSRF form and cookie parameters in the application code using JAX-RS jakarta.ws.rs.FormParam which refers to the form-field-name form property and jakarta.ws.rs.CookieParam which refers to the RestCsrfConfig#cookieName cookie. Note that even if the CSRF token verification in the CSRF filter is disabled, the filter will still perform checks to ensure the token is available, has the correct token-size in bytes and that the Content-Type HTTP header is either 'application/x-www-form-urlencoded' or 'multipart/form-data'.
Require that only 'application/x-www-form-urlencoded' or 'multipart/form-data' body is accepted for the token verification to proceed. Disable this property for the CSRF filter to avoid verifying the token for POST requests with other content types. This property is only effective if verify-token property is enabled and token-header-name is not configured.
Name of the configured OidcClient used by the OidcClientRequestReactiveFilter. You can override this configuration for individual MP RestClients with the io.quarkus.oidc.client.filter.OidcClientFilter annotation.
Whether the token propagation is enabled during the SecurityIdentity augmentation.
For example, you may need to use a REST client from SecurityIdentityAugmentor
to propagate the current token to acquire additional roles for the SecurityIdentity.
Note, this feature relies on a duplicated context. More information about Vert.x duplicated
context can be found in this guide.
Exchange the current token with OpenId Connect Provider for a new token using either "urn:ietf:params:oauth:grant-type:token-exchange" or "urn:ietf:params:oauth:grant-type:jwt-bearer" token grant before propagating it.
Hosts to access without proxy, similar to the http.nonProxyHosts or https.nonProxyHosts JVM settings. Please note that unlike the JVM settings, this property is empty by default.
Can be overwritten by client-specific settings.
This property is not applicable to the RESTEasy Client.
If true, the REST clients will not provide additional contextual information (like REST client class and method names) when exception occurs during a client invocation.
This property is not applicable to the RESTEasy Client.
Map where keys are fully-qualified provider classnames to include in the client, and values are their integer priorities. The equivalent of the @RegisterProvider annotation.
The CDI scope to use for injections of REST client instances. Value can be either a fully qualified class name of a CDI scope annotation (such as "jakarta.enterprise.context.ApplicationScoped") or its simple name (such as"ApplicationScoped").
Default scope for the rest-client extension is "Dependent" (which is the spec-compliant behavior).
Default scope for the rest-client-reactive extension is "ApplicationScoped".
Can be overwritten by client-specific settings.
Environment variable: QUARKUS_REST_CLIENT_SCOPE
Show more
string
quarkus.rest-client.query-param-style
An enumerated type string value with possible values of "MULTI_PAIRS" (default), "COMMA_SEPARATED", or "ARRAY_PAIRS" that specifies the format in which multiple values for the same query parameter is used.
Set whether hostname verification is enabled. Default is enabled. This setting should not be disabled in production as it makes the client vulnerable to MITM attacks.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration is set, then the keys-tore, trust-store, etc. properties will be used.
This property is not applicable to the RESTEasy Client.
If the Application-Layer Protocol Negotiation is enabled, the client will negotiate which protocol to use over the protocols exposed by the server. By default, it will try to use HTTP/2 first and if it’s not enabled, it will use HTTP/1.1. When the property http2 is enabled, this flag will be automatically enabled.
Environment variable: QUARKUS_REST_CLIENT_ALPN
Show more
boolean
quarkus.rest-client.capture-stacktrace
If true, the stacktrace of the invocation of the REST Client method is captured. This stacktrace will be used if the invocation throws an exception
The CDI scope to use for injection. This property can contain either a fully qualified class name of a CDI scope annotation (such as "jakarta.enterprise.context.ApplicationScoped") or its simple name (such as "ApplicationScoped"). By default, this is not set which means the interface is not registered as a bean unless it is annotated with RegisterRestClient. If an interface is not annotated with RegisterRestClient and this property is set, then Quarkus will make the interface a bean of the configured scope.
If set to true, then Quarkus will ensure that all calls from the REST client go through a local proxy server (that is managed by Quarkus). This can be very useful for capturing network traffic to a service that uses HTTPS.
This property is not applicable to the RESTEasy Client, only the Quarkus REST client (formerly RESTEasy Reactive client).
This property only applicable to dev and test mode.
The base URL to use for this service. This property or the uri property is considered required, unless the baseUri attribute is configured in the @RegisterRestClient annotation.
The base URI to use for this service. This property or the url property is considered required, unless the baseUri attribute is configured in the @RegisterRestClient annotation.
This property is only meant to be set by advanced configurations to override whatever value was set for the uri or url. The override is done using the REST Client class name configuration syntax.
This property is not applicable to the RESTEasy Client, only the Quarkus Rest client (formerly RESTEasy Reactive client).
Map where keys are fully-qualified provider classnames to include in the client, and values are their integer priorities. The equivalent of the @RegisterProvider annotation.
An enumerated type string value with possible values of "MULTI_PAIRS" (default), "COMMA_SEPARATED", or "ARRAY_PAIRS" that specifies the format in which multiple values for the same query parameter is used.
Set whether hostname verification is enabled. Default is enabled. This setting should not be disabled in production as it makes the client vulnerable to MITM attacks.
If not set and the default TLS configuration is configured (quarkus.tls.*) then that will be used. If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
If no TLS configuration is set, then the keys-tore, trust-store, etc. properties will be used.
This property is not applicable to the RESTEasy Client.
Set to true to share the HTTP client between REST clients. There can be multiple shared clients distinguished by name, when no specific name is set, the name __vertx.DEFAULT is used.
This property is not applicable to the RESTEasy Client.
If the Application-Layer Protocol Negotiation is enabled, the client will negotiate which protocol to use over the protocols exposed by the server. By default, it will try to use HTTP/2 first and if it’s not enabled, it will use HTTP/1.1. When the property http2 is enabled, this flag will be automatically enabled.
Set this to define the application path that serves as the base URI for all JAX-RS resource URIs provided by @Path annotations when there are no @ApplicationPath annotations defined on Application classes.
This value is always resolved relative to quarkus.http.root-path.
Environment variable: QUARKUS_REST_PATH
Show more
string
quarkus.rest.input-buffer-size
The amount of memory that can be used to buffer input before switching to blocking IO.
By default, we assume a default produced media type of "text/plain" for String endpoint return types. If this is disabled, the default produced media type will be "[text/plain, */*]" which is more expensive due to negotiation.
When one of the quarkus-rest-jackson or quarkus-rest-jsonb extension are active and the result type of an endpoint is an application class or one of Collection, List, Set or Map, we assume the default return type is "application/json" if this configuration is enabled.
An advanced option that can be set when they RESTEasy Reactive should NOT reply with 404 when it does not match the URL path and instead just pass control onto the next Vert.x handler (if any)
If no security annotations are affecting a method then they will default to requiring these roles, (equivalent to adding an @RolesAllowed annotation with the roles to every endpoint class). The role of '**' means any authenticated user, which is equivalent to the io.quarkus.security.Authenticated annotation.
Removes JSON specification restriction on special floating-point values such as NaN and Infinity and enables their serialization and deserialization. When enabling it, please ensure that the receiving party will be able to encode and decode these special values.
Enables structured objects to be serialized as map keys by changing serialized form of the map from JSON object (key-value pairs) to flat array like [k1, v1, k2, v2].
Enables coercing incorrect JSON values to the default property value in the following cases: 1. JSON value is null but property type is non-nullable. 2. Property type is an enum type, but JSON value contains unknown enum member.
Specifies whether null values should be encoded for nullable properties and must be present in JSON object during decoding.
When this flag is disabled properties with null values without default are not encoded; during decoding, the absence of a field value is treated as null for nullable properties without a default value.
Removes JSON specification restriction (RFC-4627) and makes parser more liberal to the malformed input. In lenient mode quoted boolean literals, and unquoted string literals are allowed.
Its relaxations can be expanded in the future, so that lenient parser becomes even more permissive to invalid value in the input, replacing them with defaults.
Specifies whether Json instance makes use of [JsonNames] annotation.
Disabling this flag when one does not use [JsonNames] at all may sometimes result in better performance, particularly when a large count of fields is skipped with [ignoreUnknownKeys].
Specifies the JsonNamingStrategy that should be used for all properties in classes for serialization and deserialization. This strategy is applied for all entities that have StructureKind.CLASS.
null by default.
This element can be one of two things:
the fully qualified class name of a type implements the NamingStrategy interface and has a no-arg constructor
a value in the form NamingStrategy.SnakeCase which refers to built-in values provided by the kotlin serialization library itself.
The size of the output stream response buffer. If a response is larger than this and no content-length is provided then the request will be chunked. Larger values may give slight performance increases for large responses, at the expense of more memory usage.
If this is true (the default) then JSON is set to the default media type. If a method has no produces/consumes and there is no builtin provider than can handle the type then we will assume the response should be JSON. Note that this will only take effect if a JSON provider has been installed, such as quarkus-resteasy-jsonb or quarkus-resteasy-jackson.
If no security annotations are affecting a method then they will default to requiring these roles, (equivalent to adding an @RolesAllowed annotation with the roles to every endpoint class). The role of '**' means any authenticated user, which is equivalent to the io.quarkus.security.Authenticated annotation.
If this is true then JAX-RS will use only a single instance of a resource class to service all requests.
If this is false then it will create a new instance of the resource per request.
If the resource class has an explicit CDI scope annotation then the value of this annotation will always be used to control the lifecycle of the resource class.
IMPLEMENTATION NOTE: jakarta.ws.rs.Path turns into a CDI stereotype with singleton scope. As a result, if a user annotates a JAX-RS resource with a stereotype which has a different default scope the deployment fails with IllegalStateException.
Set this to override the default path for JAX-RS resources if there are no annotated application classes. This path is specified with a leading /, but is resolved relative to quarkus.http.root-path.
If quarkus.http.root-path=/ and quarkus.resteasy.path=/bar, the JAX-RS resource path will be /bar
If quarkus.http.root-path=/foo and quarkus.resteasy.path=/bar, the JAX-RS resource path will be /foo/bar
Environment variable: QUARKUS_RESTEASY_PATH
Show more
string
/
quarkus.resteasy.ignore-application-classes
Ignore all explicit JAX-RS Application classes. As multiple JAX-RS applications are not supported, this can be used to effectively merge all JAX-RS applications.
Enable OidcClientRequestFilter for all the injected MP RestClient implementations. If this property is disabled then OidcClientRequestFilter has to be registered as an MP RestClient provider.
Name of the configured OidcClient used by the OidcClientRequestFilter. You can override this configuration for individual MP RestClient with the io.quarkus.oidc.client.filter.OidcClientFilter annotation.
Whether the token propagation is enabled during the SecurityIdentity augmentation.
For example, you may need to use a REST client from SecurityIdentityAugmentor
to propagate the current token to acquire additional roles for the SecurityIdentity.
Note, this feature relies on a duplicated context. More information about Vert.x duplicated
context can be found in this guide.
Enable either AccessTokenRequestFilter or JsonWebTokenRequestFilter for all the injected MP RestClient implementations. AccessTokenRequestFilter can propagate both opaque (binary) and JsonWebToken tokens but it can not modify and secure the updated JsonWebToken tokens. JsonWebTokenRequestFilter can only propagate JsonWebToken tokens but it can also modify and secure them again. Enable the 'jsonWebToken' property to have JsonWebTokenRequestFilter registered. Alternatively, instead of using this property for registering these filters with all the injected MP RestClient implementations, both filters can be registered as MP RestClient providers with the specific MP RestClient implementations.
Enable JsonWebTokenRequestFilter instead of AccessTokenRequestFilter for all the injected MP RestClient implementations. This filter can propagate as well as modify and secure the updated JsonWebToken tokens. Note this property is ignored unless the 'registerFilter' property is enabled.
Secure the injected and possibly modified JsonWebToken. For example, a JsonWebToken produced and signed by OpenId Connect provider can be re-signed using a new private key. Note this property is injected into JsonWebTokenRequestFilter.
Exchange the current token with OpenId Connect Provider for a new token using either "urn:ietf:params:oauth:grant-type:token-exchange" or "urn:ietf:params:oauth:grant-type:jwt-bearer" token grant before propagating it. Note this property is injected into AccessTokenRequestFilter.
Name of the configured OidcClient. Note this property is injected into AccessTokenRequestFilter and is only used if the exchangeToken property is enabled.
Controls whether tracing is enabled. If set to true and the OpenTelemetry extension is present, tracing will be enabled, creating automatic Spans for each scheduled task.
By default, only one Scheduler implementation is used. If set to true then a composite Scheduler that delegates to all running implementations is used.
Scheduler implementations will be started depending on the value of quarkus.scheduler.start-mode, i.e. the scheduler is not started unless a relevant io.quarkus.scheduler.Scheduled business method is found.
Scheduler can be started in different modes. By default, the scheduler is not started unless a io.quarkus.scheduler.Scheduled business method is found.
normalThe scheduler is not started unless a io.quarkus.scheduler.Scheduled business method is found., forcedThe scheduler will be started even if no scheduled business methods are found. This is necessary for "pure" programmatic scheduling., haltedJust like the forced mode but the scheduler will not start triggering jobs until Scheduler#resume() is called. This can be useful to run some initialization logic that needs to be performed before the scheduler starts.
Schema Registry - DevService
Type
Default
Dev Services
Type
Default
quarkus.apicurio-registry.devservices.enabled
If Dev Services for Apicurio Registry has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For Apicurio Registry, Dev Services starts a registry unless mp.messaging.connector.smallrye-kafka.apicurio.registry.url or mp.messaging.connector.smallrye-kafka.schema.registry.url is set.
The Apicurio Registry image to use. Note that only Apicurio Registry 2.x images are supported. Specifically, the image repository must end with apicurio/apicurio-registry-mem.
Indicates if the Apicurio Registry instance managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Apicurio Registry starts a new container.
The discovery uses the quarkus-dev-service-apicurio-registry label. The value is configured using the service-name property.
The value of the quarkus-dev-service-apicurio-registry label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Apicurio Registry looks for a container with the quarkus-dev-service-apicurio-registry label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-apicurio-registry label set to the specified value.
This property is used when you need multiple shared Apicurio Registry instances.
If set to true, access to all methods of beans that have any security annotations on other members will be denied by default. E.g. if enabled, in the following bean, methodB will be denied.
@ApplicationScoped
public class A {
@RolesAllowed("admin")
public void methodA() {
...
}
public void methodB() {
...
}
}
The origin of the application. The origin is basically protocol, host and port. If you are calling WebAuthn API while your application is located at https://example.com/login, then origin will be https://example.com. If you are calling from http://localhost:2823/test, then the origin will be http://localhost:2823. Please note that WebAuthn API will not work on pages loaded over HTTP, unless it is localhost, which is considered secure context.
Environment variable: QUARKUS_WEBAUTHN_ORIGIN
Show more
string
quarkus.webauthn.transports
Authenticator Transports allowed by the application. Authenticators can interact with the user web browser through several transports. Applications may want to restrict the transport protocols for extra security hardening reasons. By default, all transports should be allowed. If your application is to be used by mobile phone users, you may want to restrict only the INTERNAL authenticator to be allowed. Permitted values are:
USB - USB connected authenticators (e.g.: Yubikey’s)
Kind of Authenticator Attachment allowed. Authenticators can connect to your device in two forms:
PLATFORM - The Authenticator is built-in to your device (e.g.: Security chip)
CROSS_PLATFORM - The Authenticator can roam across devices (e.g.: USB Authenticator) For security reasons your application may choose to restrict to a specific attachment mode. If omitted, then any mode is permitted.
Resident key required. A resident (private) key, is a key that cannot leave your authenticator device, this means that you cannot reuse the authenticator to log into a second computer.
User Verification requirements. Webauthn applications may choose REQUIRED verification to assert that the user is present during the authentication ceremonies, but in some cases, applications may want to reduce the interactions with the user, i.e.: prevent the use of pop-ups. Valid values are:
REQUIRED - User must always interact with the browser
PREFERRED - User should always interact with the browser
DISCOURAGED - User should avoid interact with the browser
Non-negative User Verification timeout. Authentication must occur within the timeout, this will prevent the user browser from being blocked with a pop-up required user verification, and the whole ceremony must be completed within the timeout period. After the timeout, any previously issued challenge is automatically invalidated.
Device Attestation Preference. During registration, applications may want to attest the device. Attestation is a cryptographic verification of the authenticator hardware. Attestation implies that the privacy of the users may be exposed and browsers might override the desired configuration on the user’s behalf. Valid values are:
NONE - no attestation data is sent with registration
INDIRECT - attestation data is sent with registration, yielding anonymized data by a trusted CA
DIRECT - attestation data is sent with registration
ENTERPRISE - no attestation data is sent with registration. The device AAGUID is returned unaltered.
Allowed Public Key Credential algorithms by preference order. Webauthn mandates that all authenticators must support at least the following 2 algorithms: ES256 and RS256. Applications may require stronger keys and algorithms, for example: ES512 or EdDSA. Note that the use of stronger algorithms, e.g.: EdDSA may require Java 15 or a cryptographic JCE provider that implements the algorithms.
How old a cookie can get before it will be replaced with a new cookie with an updated timeout, also referred to as "renewal-timeout". Note that smaller values will result in slightly more server load (as new encrypted cookies will be generated more often); however, larger values affect the inactivity timeout because the timeout is set when a cookie is generated. For example if this is set to 10 minutes, and the inactivity timeout is 30m, if a user’s last request is when the cookie is 9m old then the actual timeout will happen 21m after the last request because the timeout is only refreshed when a new cookie is generated. That is, no timeout is tracked on the server side; the timestamp is encoded and encrypted in the cookie itself, and it is decrypted and parsed with each request.
Max-Age attribute for the session cookie. This is the amount of time the browser will keep the cookie. The default value is empty, which means the cookie will be kept until the browser is closed.
The rootPath under which queries will be served. Default to graphql By default, this value will be resolved as a path relative to ${quarkus.http.root-path}.
Enable Apollo Federation. If this value is unspecified, then federation will be enabled automatically if any GraphQL Federation annotations are detected in the application.
List of extension fields that should be included in the error response. By default, none will be included. Examples of valid values include [exception,classification,code,description,validationErrorType,queryPath]
List of Runtime Exceptions class names that should show the error message. By default, Runtime Exception messages will be hidden and a generic Server Error message will be returned.
Subprotocols that should be supported by the server for graphql-over-websocket use cases. Allowed subprotocols are "graphql-ws" and "graphql-transport-ws". By default, both are enabled.
The path where GraphQL UI is available. The value / is not allowed as it blocks the application from serving anything else. By default, this URL will be resolved as a path relative to ${quarkus.http.non-application-root-path}.
Configuration item to enable build-time scanning in Quarkus for generating typesafe GraphQL client models. If true, build-time scanning is enabled. By default, it is true.
WebSocket subprotocols that should be supported by this client for running GraphQL operations over websockets. Allowed values are: - graphql-ws for the deprecated Apollo protocol - graphql-transport-ws for the newer GraphQL over WebSocket protocol (default value) If multiple protocols are provided, the actual protocol to be used will be subject to negotiation with the server.
Maximum time in milliseconds that will be allowed to wait for the server to acknowledge a websocket connection (send a subprotocol-specific ACK message).
Root path for health-checking endpoints. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}. If the management interface is enabled, the value will be resolved as a path relative to ${quarkus.management.root-path}.
The relative path of the liveness health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
The relative path of the readiness health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
The relative path of the wellness health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
The relative path of the startup health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
If management interface is turned on the health endpoints and ui will be published under the management interface. This allows you to exclude Health from management by setting the value to false
The path where Health UI is available. The value / is not allowed as it blocks the application from serving anything else. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}.
Always create HTTP 401 challenge, even for requests containing no authentication credentials. JWT authentication mechanism will return HTTP 401 when an authentication challenge is required. However if it is used alongside one of the interactive authentication mechanisms then returning HTTP 401 to the users accessing the application from a browser may not be desired. If you prefer you can request that JWT authentication mechanism does not create a challenge in such cases by setting this property to 'true'.
Environment variable: QUARKUS_SMALLRYE_JWT_SILENT
Show more
boolean
false
SmallRye Metrics
Type
Default
quarkus.smallrye-metrics.path
The path to the metrics handler. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}. If the management interface is enabled, the value will be resolved as a path relative to ${quarkus.management.root-path}.
Apply Micrometer compatibility mode, where instead of regular 'base' and 'vendor' metrics, Quarkus exposes the same 'jvm' metrics that Micrometer does. Application metrics are unaffected by this mode. The use case is to facilitate migration from Micrometer-based metrics, because original dashboards for JVM metrics will continue working without having to rewrite them.
If management interface is turned on the openapi schema document will be published under the management interface. This allows you to exclude OpenAPI from management by setting the value to false
The value / is not allowed as it blocks the application from serving anything else. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}.
Environment variable: QUARKUS_SWAGGER_UI_PATH
Show more
string
swagger-ui
quarkus.swagger-ui.always-include
If this should be included every time. By default, this is only included when the application is running in dev mode.
The urls that will be included as options. By default, the OpenAPI path will be used. Here you can override that and supply multiple urls that will appear in the TopBar plugin.
If set, enables filtering. The top bar will show an edit box that you can use to filter the tagged operations that are shown. Can be Boolean to enable or disable, or a string, in which case filtering will be enabled using that string as the filter expression. Filtering is case-sensitive matching the filter expression anywhere inside the tag.
Environment variable: QUARKUS_SWAGGER_UI_FILTER
Show more
string
quarkus.swagger-ui.max-displayed-tags
If set, limits the number of tagged operations displayed to at most this many. The default is to show all operations.
Apply a sort to the operation list of each API. It can be 'alpha' (sort by paths alphanumerically), 'method' (sort by HTTP method) or a function (see Array.prototype.sort() to know how sort function works). Default is the order returned by the server unchanged.
Apply a sort to the tag list of each API. It can be 'alpha' (sort by paths alphanumerically) or a function (see Array.prototype.sort() to learn how to write a sort function). Two tag name strings are passed to the sorter for each pass. Default is the order determined by Swagger UI.
MUST be a function. Function to intercept remote definition, "Try it out", and OAuth 2.0 requests. Accepts one argument requestInterceptor(request) and must return the modified request, or a Promise that resolves to the modified request.
If set, MUST be an array of command line options available to the curl command. This can be set on the mutated request in the requestInterceptor function.
MUST be a function. Function to intercept remote definition, "Try it out", and OAuth 2.0 responses. Accepts one argument responseInterceptor(response) and must return the modified response, or a Promise that resolves to the modified response.
If set to true, uses the mutated request returned from a requestInterceptor to produce the curl command in the UI, otherwise the request before the requestInterceptor was applied is used.
List of HTTP methods that have the "Try it out" feature enabled. An empty array disables "Try it out" for all operations. This does not filter the operations from the display.
list of get, put, post, delete, options, head, patch, trace
quarkus.swagger-ui.validator-url
By default, Swagger UI attempts to validate specs against swagger.io’s online validator. You can use this parameter to set a different validator URL, for example for locally deployed validators (Validator Badge). Setting it to either none, 127.0.0.1 or localhost will disable validation.
Function to set default value to parameters. Accepts two arguments parameterMacro(operation, parameter). Operation and parameter are objects passed for context, both remain immutable
OAuth only activated for the accessCode flow. During the authorization_code request to the tokenUrl, pass the Client Password using the HTTP Basic Authentication scheme - Used in the initOAuth method.
OAuth only applies to authorization code flows. Proof Key for Code Exchange brings enhanced security for OAuth public clients - Used in the initOAuth method.
Server Name Indication (SNI) is a TLS extension that allows a client to specify the hostname it is attempting to connect to during the TLS handshake. This enables a server to present different SSL certificates for multiple domains on a single IP address, facilitating secure communication for virtual hosting scenarios.
With this setting enabled, the client indicate the server name during the TLS handshake, allowing the server to select the right certificate.
When configuring the keystore with PEM files, multiple CRT/Key must be given. When configuring the keystore with a JKS or a P12 file, it selects one alias based on the SNI hostname. In this case, all the keystore password and alias password must be the same (configured with the password and alias-password properties. Do not set the alias property.
Environment variable: QUARKUS_TLS_KEY_STORE_SNI
Show more
boolean
false
quarkus.tls.key-store.credentials-provider.name
The name of the "credential" bucket (map key → passwords) to retrieve from the io.quarkus.credentials.CredentialsProvider. If not set, the credential provider will not be used.
A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration.
The name of the bean providing the credential provider.
The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the @Named annotation set to the configured name to be selected.
If not set, the default credential provider is used.
If the selected credential provider does not support the key, the password is not retrieved. Otherwise, the retrieved value is used to open the key store.
The key used to retrieve the key store alias password.
If the selected credential provider does not contain the key, the alias password is not retrieved. Otherwise, the retrieved value is used to access the alias private key from the key store.
The name of the "credential" bucket (map key → passwords) to retrieve from the io.quarkus.credentials.CredentialsProvider. If not set, the credential provider will not be used.
A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration.
The name of the bean providing the credential provider.
The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the @Named annotation set to the configured name to be selected.
If not set, the default credential provider is used.
The key used to retrieve the trust store password.
If the selected credential provider does not contain the configured key, the password is not retrieved. Otherwise, the retrieved value is used to open the trust store.
Sets the ordered list of enabled cipher suites. If none is given, a reasonable default is selected from the built-in ciphers.
When suites are set, it takes precedence over the default suite defined by the SSLEngineOptions in use.
Environment variable: QUARKUS_TLS_CIPHER_SUITES
Show more
list of string
quarkus.tls.protocols
Sets the ordered list of enabled TLS protocols.
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
Note that setting an empty list, and enabling TLS is invalid. You must at least have one protocol.
Also, setting this replaces the default list of protocols.
Enables the Application-Layer Protocol Negotiation (ALPN).
Application-Layer Protocol Negotiation is a TLS extension that allows the client and server during the TLS handshake to negotiate which protocol they will use for communication. ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before the TLS connection is established. This helps in scenarios such as HTTP/2 where multiple protocols may be available, allowing for faster protocol selection.
Environment variable: QUARKUS_TLS_ALPN
Show more
boolean
true
quarkus.tls.certificate-revocation-list
Sets the list of revoked certificates (paths to files).
A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. When a certificate is compromised, no longer needed, or deemed invalid for any reason, the CA adds it to the CRL to inform relying parties not to trust the certificate anymore.
Two formats are allowed: DER and PKCS#7 (also known as P7B). When using the DER format, you must pass DER-encoded CRLs. When using the PKCS#7 format, you must pass PKCS#7 SignedData object, with the only significant field being crls.
If set to true, the server trusts all certificates.
This is useful for testing, but should not be used in production.
Environment variable: QUARKUS_TLS_TRUST_ALL
Show more
boolean
false
quarkus.tls.hostname-verification-algorithm
The hostname verification algorithm to use in case the server’s identity should be checked. Should be HTTPS (default), LDAPS or an NONE.
If set to NONE, it does not verify the hostname.
If not set, the configured extension decides the default algorithm to use. For example, for HTTP, it will be "HTTPS". For TCP, it can depend on the protocol. Nevertheless, it is recommended to set it to "HTTPS" or "LDAPS".
When configured, the server will reload the certificates (from the file system for example) and fires a CertificateUpdatedEvent if the reload is successful
This property configures the period to reload the certificates. IF not set, the certificates won’t be reloaded automatically. However, the application can still trigger the reload manually using the io.quarkus.tls.TlsConfiguration#reload() method, and then fire the CertificateUpdatedEvent manually.
The fired event is used to notify the application that the certificates have been updated, and thus proceed with the actual switch of certificates.
Server Name Indication (SNI) is a TLS extension that allows a client to specify the hostname it is attempting to connect to during the TLS handshake. This enables a server to present different SSL certificates for multiple domains on a single IP address, facilitating secure communication for virtual hosting scenarios.
With this setting enabled, the client indicate the server name during the TLS handshake, allowing the server to select the right certificate.
When configuring the keystore with PEM files, multiple CRT/Key must be given. When configuring the keystore with a JKS or a P12 file, it selects one alias based on the SNI hostname. In this case, all the keystore password and alias password must be the same (configured with the password and alias-password properties. Do not set the alias property.
The name of the "credential" bucket (map key → passwords) to retrieve from the io.quarkus.credentials.CredentialsProvider. If not set, the credential provider will not be used.
A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration.
The name of the bean providing the credential provider.
The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the @Named annotation set to the configured name to be selected.
If not set, the default credential provider is used.
If the selected credential provider does not support the key, the password is not retrieved. Otherwise, the retrieved value is used to open the key store.
The key used to retrieve the key store alias password.
If the selected credential provider does not contain the key, the alias password is not retrieved. Otherwise, the retrieved value is used to access the alias private key from the key store.
The name of the "credential" bucket (map key → passwords) to retrieve from the io.quarkus.credentials.CredentialsProvider. If not set, the credential provider will not be used.
A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration.
The name of the bean providing the credential provider.
The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the @Named annotation set to the configured name to be selected.
If not set, the default credential provider is used.
The key used to retrieve the trust store password.
If the selected credential provider does not contain the configured key, the password is not retrieved. Otherwise, the retrieved value is used to open the trust store.
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
Note that setting an empty list, and enabling TLS is invalid. You must at least have one protocol.
Also, setting this replaces the default list of protocols.
Enables the Application-Layer Protocol Negotiation (ALPN).
Application-Layer Protocol Negotiation is a TLS extension that allows the client and server during the TLS handshake to negotiate which protocol they will use for communication. ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before the TLS connection is established. This helps in scenarios such as HTTP/2 where multiple protocols may be available, allowing for faster protocol selection.
Sets the list of revoked certificates (paths to files).
A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. When a certificate is compromised, no longer needed, or deemed invalid for any reason, the CA adds it to the CRL to inform relying parties not to trust the certificate anymore.
Two formats are allowed: DER and PKCS#7 (also known as P7B). When using the DER format, you must pass DER-encoded CRLs. When using the PKCS#7 format, you must pass PKCS#7 SignedData object, with the only significant field being crls.
The hostname verification algorithm to use in case the server’s identity should be checked. Should be HTTPS (default), LDAPS or an NONE.
If set to NONE, it does not verify the hostname.
If not set, the configured extension decides the default algorithm to use. For example, for HTTP, it will be "HTTPS". For TCP, it can depend on the protocol. Nevertheless, it is recommended to set it to "HTTPS" or "LDAPS".
When configured, the server will reload the certificates (from the file system for example) and fires a CertificateUpdatedEvent if the reload is successful
This property configures the period to reload the certificates. IF not set, the certificates won’t be reloaded automatically. However, the application can still trigger the reload manually using the io.quarkus.tls.TlsConfiguration#reload() method, and then fire the CertificateUpdatedEvent manually.
The fired event is used to notify the application that the certificates have been updated, and thus proceed with the actual switch of certificates.
The context path for Servlet content. This will determine the path used to resolve all Servlet-based resources, including JAX-RS resources - when using the Undertow extension in conjunction with RESTEasy.
This path is specified with a leading /, but is resolved relative to quarkus.http.root-path.
If quarkus.http.root-path=/ and quarkus.servlet.context-path=/bar, the servlet path will be /bar
If quarkus.http.root-path=/foo and quarkus.servlet.context-path=/bar, the servlet path will be /foo/bar
The buffer size to use for Servlet. If this is not specified the default will depend on the amount of available memory. If there is less than 64mb it will default to 512b heap buffer, less that 128mb 1k direct buffer and otherwise 16k direct buffers.
Environment variable: QUARKUS_SERVLET_BUFFER_SIZE
Show more
MemorySize
quarkus.servlet.direct-buffers
If Servlet should use direct buffers, this gives maximum performance but can be problematic in memory constrained environments
The maximum number of HTTP request parameters permitted for Servlet requests. If a client sends more than this number of parameters in a request, the connection is closed.
Configure the file cache directory. When not set, the cache is stored in the system temporary directory (read from the java.io.tmpdir system property). If the java.io.tmpdir is not set . is used.
Note that this property is ignored if the vertx.cacheDirBase system property is set.
The queue size. For most applications this should be unbounded
Environment variable: QUARKUS_VERTX_QUEUE_SIZE
Show more
int
quarkus.vertx.growth-resistance
The executor growth resistance.
A resistance factor applied after the core pool is full; values applied here will cause that fraction of submissions to create new threads when no idle thread is available. A value of 0.0f implies that threads beyond the core size should be created as aggressively as threads within it; a value of 1.0f implies that threads beyond the core size should never be created.
Prefill thread pool when creating a new Executor. When io.vertx.core.spi.ExecutorServiceFactory#createExecutor is called, initialise with the number of defined threads at startup
Set the hosts configuration refresh period in millis, 0 (default) disables it.
The resolver caches the hosts configuration (configured using quarkus.vertx.resolver.hosts-path after it has read it. When the content of this file can change, setting a positive refresh period will load the configuration file again when necessary.
Set the list of DNS server addresses, an address is the IP of the dns server, followed by an optional colon and a port, e.g 8.8.8.8 or {code 192.168.0.1:40000}. When the list is empty, the resolver will use the list of the system DNS server addresses from the environment, if that list cannot be retrieved it will use Google’s public DNS servers "8.8.8.8" and "8.8.4.4".
Set to true to enable the automatic inclusion in DNS queries of an optional record that hints the remote DNS server about how much data the resolver can read per response.
Set the ndots value used when resolving using search domains, the default value is -1 which determines the value from the OS on Linux or uses the value 1.
Set to true to enable round-robin selection of the dns server to use. It spreads the query load among the servers and avoids all lookup to hit the first server of the list.
The shutdown timeout. If all pending work has not been completed by this time then any pending tasks will be interrupted, and the shutdown process will continue
The frequency at which the status of the executor service should be checked during shutdown. Setting this key to an empty value disables the shutdown check interval.
A flag to explicitly disabled virtual threads, even if the JVM support them. In this case, methods annotated with @RunOnVirtualThread are executed on the worker thread pool.
This flag is intended to be used when running with virtual threads become more expensive than plain worker threads, because of pinning, monopolization or thread-based object pool.
If the websocket methods should be run in a worker thread. This allows them to run blocking tasks, however it will not be as fast as running directly in the IO thread.
If a name is configured, it uses the configuration from quarkus.tls.<name>.* If a name is configured, but no TLS configuration is found with that name then an error will be thrown.
The default TLS configuration is not used by default.
Quarkus redirects HTTP handshake request to this URL if an HTTP upgrade is rejected due to the authorization failure. This configuration property takes effect when you secure endpoint with a standard security annotation. For example, the HTTP upgrade is secured if an endpoint class is annotated with the @RolesAllowed annotation.